BY  CHRISTOPHER  KOCH 


Michael  Schrage:  How  to  Overcome  the  Culture  of  Resistance  page  34 

»  r:  *  ?  m 


****${£  v 


THE  RESOURCE  FOR  INFORMATION  EXECUTfl 

SELF-SERVICE 
THAT  WORKS 

ThelT  rules  for 
helping  customers 
help  themselves 

Page  58 

5Q-CENT  HOLES 

Commonsenseand 
low-cost  solutions 
to  common  security 
problems 

Page  66 


To  extend  his  supply  chain  all  the  way  to  China 
and  reduce  lead  times,  Watts  Water  Technologies 
VP  of  Information  and  Strategic  Planning 
Anton  Ter  Meulen  discovered  he  had  to 
improve  forecasting  accuracy. 


»  The  Culture 
»  Politics 
» Infrastructure 
»  Supply  Chain 

»  Costs  Page  46 


Vftlluc  REWRITE,  REVISE 

TUU  12  RE-EVERYTHING 

INFLEXIBILITY:  MEET  SOA 

PLUS:  TANGIBLE  BUSINESS  BENEFITS  ★  BEST  PRACTICES  FOR  BEST  RESULTS 

OVER  10  YEARS  OF  WORLD-CLASS  INTEGRATION  EXPERTISE 

- - - FEATURING: - - 

A  FASTER,  EASIER  WAY  TO  I  SUPPORT  FOR  OVER  |  UNPARALLELED  INDUSTRY 
IMPLEMENT  TRUE  SOA  I  80  O.S.  CONFIGURATIONS  I  KNOWLEDGE  t  PROCESS  SKILL 


IBM  MIDDLEWARE.  POWERFUL.  PROVEN. 

FIGHT  BACK  AT  WWW.IBM.COM/MIDDLEWARE/SOA.  THIS  IS  A  RIP-AND-REPLACE-FREE  EVENT. 


IBM,  the  IBM  logo  and  WebSphere  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation 
in  the  United  States  and/or  other  countries.  ©2005  IBM  Corporation.  All  rights  reserved. 


HI 


- 


FEATURING  * 

KNOCK  OUT  TO 

UN  &  MANAGE  CO 


MET 

me, 

;haos 


REDUCED  D 
REDUCED  BUS 


WWW.IBM.COM/MIDDLEWARE/PERFORMANCE 


iternational  Business  Machines  Corporation 
rporation.  All  rights  reserved. 

fi*  tv v 


The  new  Canon  imageRUNNER  solutions  and  support  addressed 
Don's  concerns  about  seamless  network  integration,  secured  printing 
and  managing  network  devices.  Hence,  Don's  no  longer  concerned. 


Don’s  company  isn’t  doing  business  as  usual.  What  about  your  company?  We’re  well  aware  of  your  daily  challenges  as  the 

gatekeeper  of  your  company’s  network.  And  we  totally  understand.  That’s  why  Canon’s  imageRUNNER®  solutions  are  raising  the  bar  for 
how  well  network  devices  work  and  how  seamlessly  they’re  integrated.  You’ll  appreciate  enhanced  security  features  that  include  a 
secured  print  function  for  document  confidentiality,  user  authentication,  NetSpot®  and  Remote  UP  for  easily  managing  network  devices. 
In  addition,  you  get  entirely  new  systems  across  our  full  line  of  imageRUNNER  solutions,  which  offer  intuitive  technology  that  works  with 
you,  not  against  you.  You  can  also  expect  your  current  investment  to  be  leveraged,  your  concerns  to  be 

addressed  and  the  potential  of  your  workday  to  be  expanded.  Which  means  no  more  business  as  usual.  ^  yfl  1 1 \J  | 

1-8QO-OK-CANON  www.imagerunner.com 


Canon,  IMAGERUNNER  and  NetSpot  aie  registered  trademarks  ol  Canon  Inc  .  in  the  United  States  and  may  also  be  registered  trademarks  in  other  countries.  IMAGEANYWARE  and  Remote  Ul  are  trademarks  ol 
Canon  U  S. A  ,  Inc.  ©  2005  Canon  U  S  A  .  Inc.  All  rights  reserved.  Products  shown  with  optional  accessories 


image  ANYWARE 


COVER  PHOTO  BY  KATHLEEN  DOOHER 


Watts  Water  Technologies  VP 
Anton  Ter  Meulen  points  Out 
that  joint  ventures  in  China  are 
difficult  because  "it’s  hard  to 
know  who’s  in  charge.” 


OCTOBER/15/2005  I  VOL/19  I  NO/2 


Change  Management 

HOW  TO  BECOME 
A  CHANGE  AGENT  |  32 

If  you  want  people  to  follow  you,  take  a  walk 
in  their  shoes. 

Column  by  Mike  Hugos 

THE  KEY  TO  INNOVATION:  OVERCOMING 
RESISTANCE  |  34 

CIOs  should  be  investing  less  time  in  brain¬ 
storming  ideas  and  more  time  in  targeting 
the  sources  of  resistance  to  change. 

Column  by  Michael  Schrage 

Communications 

HOW  TO  WRITE  A 
MEMORABLE  MEMO  |  85 

The  five  questions  to  answer  when  writing 
a  business  memo.  Part  of  our  Advanced 
Communications  series. 

Feature  by  Michael  Fitzgerald 

THE  ADVANCED  COMMUNICATIONS 
SERIES  |  GIO.COM 

Read  more  stories  from  the  Advanced 
Communications  Special  Report— including 
the  popular  “Mastering  the  Secret  Etiquette 
of  Golf”— at  www.cio.com/specialreports. 

Customer  Services 

SIX  SIMPLE  RULES  FOR  SUCCESSFUL 
SELF-SERVICE  58 


Supply  Chain 

COVER  STORY  |  MAKING  IT  IN  CHINA  |  46 

China  is  not  for  everyone,  because  of  the  high 
logistical  costs  of  getting  products  into,  around  and 
out  of  the  mainland.  Here’s  how  to  figure  out  if  and 
how  China  should  be  in  your  company’s  future. 

Feature  by  Christopher  Koch 


You  can  save  money,  increase  revenues  and 
generate  loyalty  when  you  let  customers 
help  themselves.  But  only  if  you  do  it  right. 

Feature  by  Alice  Dragoon 

IT  Security 

50-CENT  HOLES  |  66 

Most  of  your  security  problems  are  simple 
but  devilish.  Here  are  some  simple  but 
clever  solutions. 

Feature  by  Thomas  Wailgum 


more  » 


www.cio.com  |  OCTOBER  15,  2005 


3 


Identity 

Management 


evolve 


consolidate 


undefended 


undefendable 


assailable 


secure  adaptable 


allocate 


idoors 


Resource 

Management 


tralized 


manage 


automate 


simplify 


lolve'd, 


unfasteried 


blazing 


ZENworks1 


lower  costs 


foundation 


Data-eenter 


unrestricted 

enterprise  mj£ 


identity 


complete 


GroupWise® 

collaborate 

connect 

- unite 

Workgroup 
and  Collaboration 


bulletproof  undetermined^- 
cutting-edge 


simplify 


spread  out 


freedo 


SUSE™  LINUX 
Enterprise  Server 


capable 

integrate  deliver 


flexibility 

( 

desktop 


Linux  Desktop  9 


functionality 


Define  Your  Open  Enterprise. 

What  does  Open  mean  to  you?  Community?  Security? 
Risk?  Reward?  Can  it  leverage  legacy  systems? 
Consolidate  and  simplify?  Do  you  believe  in  its  power 
and  potential? 

Introducing  Novell  software  for  the  open  enterprise 
—  the  only  software  that  makes  Open  work  for  you. 
From  desktop  and  data  center  to  identity  manage¬ 
ment,  resource  management  and  collaboration,  our 
flexible  combination  of  open  source  and  commercial 


software  delivers  more  than  you  ever  imagined.  The 
power  to  manage  IT  assets  and  effort  automatically. 
Freedom  from  single  vendor  lock-in.  Security  that  keeps 
the  right  information  safe  and  the  right  people  informed. 
And  the  ability  to  connect  people  to  performance  and 
business  to  possibilities.  So  you  can  build  an  open 
enterprise  that  makes  sense  for  you  —  and  your  future. 
This  is  Novell  software  for  the  open  enterprise.  The 
Open  you’ve  wanted  all  along. 


Novell. 

This  is  your  open  enterprise. 

www.novell.com 


Copyright  ©  2005  Novell.  Inc.  All  Rights  Reserved.  Novell,  the  Novell  logo,  ZENworks  and  GroupWise  are  registered  trademarks;  SUSE  is  a 
trademark  of  Novell.  Inc.  in  the  United  States  and  other  countries.  All  third-party  trademarks  are  the  property  of  their  respective  owners. 


DEPARTMENTS 


Trendlines  |  21 

Open  Source  |  China’s  Bet  on  Linux 

Risk  Management  |  Are  You  at  Risk 
in  a  Catastrophe? 

Staffing  |  Go  West,  Job  Seekers 

Instant  Messaging  |  Answers  at  Your 
Fingertips 

Washington  Watch  |  After  Hurricanes,  Federal 
IT  Falls  Short 

Book  Review  |  How  to  Climb  the  Corporate 
Ladder 

Speech  Recognition  |  A  Computer  at 
Astronauts’  Command 

By  the  Numbers  |  Phishing  Sinks  Confidence 
in  E-Commerce 


Essential  Technology  j  88 

Security  |  New  Locks,  New  Keys 

Under  Development  |  The  Dawn  of  General- 
Purpose  Grid? 

From  the  Editor  |  10 

The  Voices  of  CIO  |  To  know  our  columnists 

is  to  know  us.  By  Abbie  Lundberg 

From  the  Publisher  |  96 


IT  Value 

WHY  YOU  SHOULD  EXPERIMENT  WITH  YOUR  BUSINESS  |  42 

How  to  use  business  experimentation  to  grow  your  company. 

Column  by  Jim  Cash  with  Keri  Pearlson 


Tax  Madness  j  Congress  should  close  the  tax 
loopholes  in  job  creation  legislation. 

By  Gary  Beach 

Inbox  I  16 
Index  !  98 


RETIREMENT  KEEPS  HIM  BUSY  |  74 

Herbert  Allison,  CEO  of  TIAA-CREF,  boosted  the  CTO  position  and 
restructured  IT  to  help  the  retirement  services  company  stem  rising 
costs  and  maintain  its  industry  standing. 

A  View  from  the  Top  interview  by  Meridith  Levinson 

Succession  Planning 

HOW  TO  GROOM  A  SUCCESSOR  |  38 


Executive  Summaries  |  100 

j 

Wh@t's  Hot  Online 

You  need  news  to  keep  up.  From  our  weekly 
TOP  10  I.T.  NEWS  STORIES  to  our  daily 
analysis  of  what  you  need  to  know,  keep 
up  every  day  at  www.cio.com. 


One  CIO  started  a  job  in  a  foreign  land  knowing  that  until  he  found  or 
groomed  a  successor,  he  wouldn’t  be  coming  home.  Part  of  the  CIO 
Leadership  Agenda  series. 

Peer  to  Peer  column  by  John  W.  Von  Stein 

CIO  LEADERSHIP  AGENDA  SERIES  |  CIO.COM 

Read  more  leadership  articles  at  www.cio.com/specialreports. 


6 


OCTOBER  15,  2005  |  www.cio.com 


Samsung  displays.  Turn  business  on 


he  Samsung  242MP  display.  Explore  more  of  what’s  out  there. 

ne  look  and  you’ll  see  how  the  combination  of  a  computer  display,  a  television  and  a  radio 
an  become  your  ultimate  source  of  knowledge.  And  why  Samsung  is  the  leading  display 
rand  in  the  world*  So  when  you’re  serious  about  business,  turn  on  a  Samsung.  And  turn 
aurself  on  to  a  whole  new  way  of  seeing  things,  www.samsung.com/monitor 

2005  Samsung  Electronics  America,  Inc.  Samsung  is  a  registered  trademark  of  Samsung  Electronics  Co..  Ltd. 

:reen  images  simulated.  ‘Global  market  share  leader  based  on  2004  iSuppli  Corporation  Rating. 


SAMSUNG 


i 


©  2005  Microsoft  Corporation.  All  rights  reserved.  Microsoft,  the  Windows  logo,  Windows  Server,  and  Windows  Server  System  are  either  registered  trademarks  or  trademarks  of 
Microsoft  Corporation  in  the  United  States  and/or  other  countries.  The  names  of  actual  companies  and  products  mentioned  herein  may  be  the  trademarks  of  their  respective  owners. 


□  CAN  IT  HELP  CONTROL  COSTS  AS  WE  GROW 


□  CAN  WE  DEPLOY 

□  HOW  RELIABLE  IS  IT 


ARE  THERE  HIDDEN  COSTS 


Microsoft 


eTget  the  facts. 


RAYOVAC  CHOSE  WINDOWS  SERVER  SYSTEM  AND  EXPECTS  TO  SAVE 
NEARLY  ONE  MILLION  DOLLARS. 


"By  choosing  Windows  Server™  over  Linux  for  our  new  SAP  APO  solution,  we'll  save  an 
estimated  one  million  dollars  in  software,  staffing,  and  support  costs  over  the  first  four  years. 
We  needed  performance,  security  enhancements,  and  reliability  at  a  reasonable  price, 
and  Linux  would  have  presented  additional  risks  in  all  of  those  areas.  It  may  be  the  new 
thing  from  a  technical  perspective,  but  Linux  doesn't  cut  it  from  a  business  perspective — 

I  need  a  proven  IT  environment  that  I'm  sure  we  can  support." 

-Rick  Dempsey,  Chief  Information  Officer,  Rayovac 


RAYVVAC 


For  these  and  other  third-party  findings,  go  to  microsoft.com/getthefacts 


Windows 
Server  System 


FROM  THE  EDITOR 


The  Voices 
of  CIO 


To  know  our  columnists 
is  to  know  us. 


The  quickest  way  to  get  to  know  a  magazine  is  by  reading  its  columns.  For  an  edi¬ 
tor,  inviting  a  columnist  onto  your  pages  is  a  bit  like  inviting  them  into  your  home.  Some 
come  for  a  single  dinner  party,  providing  company  and  conversation;  others  move  in  and 
stay  on  for  a  year  or  two,  becoming  valued  friends. 

We’ve  welcomed  a  number  of  new  columns  and  columnists  to  CIO  during  the  past  few 
years.  Just  looking  at  the  names  of  the  col umns  tells  you  a  lot  about  who  we  are: 

Total  Leadership 

From  the  Boardroom  "Always  speak  the  truth— think 

Competitive  Advantage  before  you  speak— and  write  it 

Peer  to  Peer  down  afterwards/' 

It’s  All  About  the  Execution  -Lewis  Carroll,  Through  the  Looking  Glass 

Executive  Coach 

Collectively,  these  titles  speak  to  the  subject  of  leadership  and  the  business  needs  it  must 
confront,  typically  addressing  questions  of  human  nature,  motivation,  and  organizational 
design  and  dynamics.  In  this  issue’s  From  the  Boardroom  column,  for  example,  Jim  Cash  and 
Keri  Pearlson  argue  that  experimentation  can  generate  the  innovations  that  drive  growth, 
yet  often  this  doesn’t  happen,  because  experimentation  can  feel  like  a  loss  of  control  over  strat¬ 
egy  formulation— which  executives  rightly  believe  to  be  part  of  their  core  responsibility. 

Michael  Schrage,  a  longtime  proponent  of  business  experimentation  (see  his  fine  book 
Serious  Play),  cautions  in  It’s  All  About  the  Execution  that  resistance  to  change  will  sabotage 
any  innovation  effort.  But  because  the  loci  of  resistance  vary  from  one  business  to  another, 
it’s  critical  to  understand  the  “culture  of  resistance”  that  exists  in  your  own  organization. 

Why  is  it  so  important  to  get  a  handle  on  change  and  innovation?  As  Schrage  writes,  “Good 
ideas  are  cheap;  good  implementations  aren’t.  Experience  teaches  that  aspiring  IT  innova¬ 
tors  don’t  need  better  ideas  that  make  more  sense,  but  better  implementations  that  make— 
or  save— more  money.  If  organizations  can  boost  their  ‘return  on  innovation’  by  investing  more 
in  good  implementations  than  in  good  ideas,  then  that’s  where  their  capital  should  go.” 

Or  as  Cash  and  Pearlson  put  it,  “In  the  current  business  climate.. .organic  growth  has 
become  an  important  criterion  for  market  valuation,  and  the  rate  of  innovation  is  a  key  input 
for  the  rate  of  organic  growth  in  large  companies.” 

CIO’s  columnists  are  what  good  columnists  ought  to  be:  opinionated  and  direct.  In  last 
issue’s  Executive  Coach  column,  for  instance,  Susan  Cramm  wrote,  “The  phrase  ‘manag¬ 
ing  expectations’  is  ridiculous  and  should  be  stricken  from  CIOs’  lexicons.  It  conveys  false 
hopes  that,  through  artful  maneuvering,  delivering  less  is  OK.  Nothing  but  food  satisfies 
hunger,  nothing  but  money  pays  the  rent,  and  nothing  but  a  ‘yes’  satisfies  IT’s  business  part¬ 
ners.”  But  opinions  in  a  vacuum  are  just  so  much  noise.  Cramm  goes  on  to  devote  two 
columns  on  ways  to  improve  business-IT  alignment. 

What  do  you  value  most  in  a  columnist?  Who  are  your  favorites?  Perhaps  you’d  like  to 
share  your  experiences  and  opinions  about  life  on  the  business  technology  front  lines.  If 
so,  drop  me  a  note.  We’re  always  looking  for  new  guests— and  new  friends— to  invite  to  the 
next  CIO  dinner  party. 


Abbie  Lundberg,  Editor  in  Chief 

lundberg@cio.com 


1  0 


OCTOBER  15,  2005  |  www.cio.com 


PHOTO  BY  STEVEN  VOTE 


MicroStrategy  is  #1  in 

Customer  Loyalty 

in  the  Business  Intelligence  Market 


In  a  recent  industry  survey  that  measured  customer  loyalty, 
MicroStrategy  outscored  all  of  the  competition. 


1  MicroStrategy 

2  Applix  TM1 

3  SAP  BW 

4  Microsoft  AS 

5  MISAlea 

6  Oracle  OLAP  Servers 

7  Business  Objects 

8  Hyperion  Essbase 

9  Oracle  Discoverer 
10  Cognos  PowerPlay 

60%  70%  80%  90% 

The  OLAP  Survey  4  measures  nearly  1 .000  customer  sites  and  is  the  largest  independent  survey  of  business  intelligence  (81)  products.  It  is  conducted  annually  by  Survey.com  and  industry  analyst,  Nigel  Pencise 


Report.  Analyze.  Monitor. 


Today,  thousands  of  organizations  worldwide  depend 
on  MicroStrategy  to  report,  analyze,  and  monitor  their 
mission-critical  business  data.  According  to  independent 
surveys,  MicroStrategy  customers  access  the  largest 
databases,  have  the  largest  business  user  populations, 
and  report  higher  business  benefit  from  their  business 
intelligence  applications. 


MicroStrategy  has  been  hailed  by  industry  analysts  for  its 
uniquely  integrated  architecture,  its  user  and  data  seal- 
ability,  and  its  dramatic  ease  of  use.  It  gives  business  users 
integrated  dashboards,  reporting,  and  analysis  they  desire 
and  provides  IT  staff  an  easily  maintainable  industrial- 
strength  business  intelligence  platform  they  need. 


For  your  Free  Evaluation 
Software,  visit  us  at 
www.microstrategy.com/CD 


888.537.8135 


ONE  VISION.  ONE  MACHINE. 
ONE  LEGACY  IN  THE  MAKING. 


^^SSSn 

MW' 


\AlO 


tV-  : 


■PI 

Sk* 


Klii 


■PShSSS??' 


SONY 


like.no.othef 


©2005  Sony  Electronics  Inc.  All  rights  reserved.  Sony,.  VAlG,  and  Like  no  Oilier  are  trademarks  of  Sony,  lrt?@L  Intel  logo.  Intel  Inside.  Intel  Inside  logo. 
Intel  Gentrino,  and  Intel  Gentrino  logo  are  trademarks  or  registered  trademarks  of  intei  Corporation  Of  its  subsidiaries  in  the  United  States  and  etn 
countries.  Microsoft  and  Windovt®.«r«  registered  trademarks of  Microsoft  Corporation,  3 .  Available  in  select  models.  Subscription  YMhCinigular  Wireless 
required.  See  sony.com/cingulai  for  complete  otter  details,  price  plans,  service-  terms  arid  conditions,  and  coverage  map,  Call  MSS-TSS-VAlQ  18246) 
for  service  activation.  2,  Requires  802. 1 1  b  or  802, 1 1  g  compatible  access  point.  Some  functionality  may  require  Internet  services,  which  may  -require  a  fee. 
3.  Interoperability  among  Bluetooth  devices  varies. 


Sony  recommends 
Windows®  XP  Professional. 


& 


INTRODUCING  THE  VAIO  PROFESSIONAL  BX  SERIES  NOTEBOOK  WITH  INTEL1,  CENTRINO™ 
MOBILE  TECHNOLOGY  FOR  EXCEPTIONAL  PERFORMANCE  AND  PRODUCTIVITY, 


There  has  never  been  a  business  notebook  with  such  a  complete  combination 
of  features  and  options.  Adapt  in  seconds  with  Sony’s  unique  swappable  bay 
system.  Feel  secure  with  the  BX’s  biometric  fingerprint  sensor,  Connect  with 
integrated  wireless  WAN,  LAN,2  Bluetooth  Technology,3  and  an  optional  integrated 
camera  for  videoconferencing.  Be  a  leader.  Create  a  legacy. 

Call  866-303-7669 
Visit  sony.com/bx3 


\/MO 

PROFESSIONAL 


WHAT  WE  COVER,  WHOM  TO  CONTACT 

INDUSTRY 


THE  RESOURCE  FOR  INFORMATION  EXECUTIVES 


president  and  ceo  Michael  Friedenberg 

editorial  director  Lew  McCreary 
publisher  Gary  J.  Beach 

EDITORIAL 

editor  in  chief  Abbie  Lundberg 
managing  editor  David  Rosenbaum 

MANAGING  EDITOR,  PRODUCTION 

Cheryl  R.  Asselin 

EXECUTIVE  EDITORS 

Alison  Bass,  Christopher  Koch, 

Edward  Prewitt 

WASHINGTON  BUREAU  CHIEF 

Allan  Holmes 

TECHNOLOGY  EDITOR 

Christopher  Lindquist 

SENIOR  EDITORS 

Scott  Berinato, 

Stephanie  Overby,  Elana  Varon 

SENIOR  WRITERS 

Meridith  Levinson, 

Susannah  Patton,  Ben  Worthen 

STAFF  WRITER 

Thomas  Wailgum 

CONTRIBUTORS 

Jim  Cash.  Alice  Dragoon, 

Michael  Fitzgerald,  Nancy  Gohring, 

Galen  Gruman,  Cassidy  Healzer,  Mike  Hugos, 
Sumner  Lemon,  Keri  Pearlson,  Juan  Carlos  Perez. 
Linda  Rosencrance,  Michael  Schrage, 

Maria  Trombly,  John  W.  Von  Stein, 

Wendy  Yu 

DESIGN 

EXECUTIVE  DIRECTOR,  ART  AND  DESIGN 

Mary  Lester 

art  director  Terri  Haas 

ASSOCIATE  ART  DIRECTORS 

Owen  Edwards,  Matthew  Goebel 

COPY  TEAM 

copy  chief  Emily  S.  Henderson 

senior  copy  editor  Diann  Daniel 
copyeditor  Cathy Mallen 

EDITORIAL  ASSISTANTS 

Margaret  Locher,  Al  Sacco 
editorial  intern  Christopher  Lynch 

RESEARCH  &  PROJECTS 

research  editor  Lorraine  Cosgrove  Ware 

ASSOCIATE  RESEARCH  ANALYST  Julie  HanSOn 

ONLINE  EDITORIAL 

web  editorial  director  Art  Jahnke 

WEB  EXECUTIVE  EDITOR  AND  PRODUCER 

Janice  Brand 

web  editor  Sandy  Kendall 
web  writer  Paul  L.  Kerstein 

CXOXMEDIA  INC. 
INTERNATIONAL  DATA  GROUP 
BOARD  CHAIRMAN  Patrick  J.  McGovern 
CEO  Pat  Kenealy 

president,  idg  communications  Bob  Carrigan 


©CXO  Media  Inc. 


Automotive 

Edward  Prewitt,  eprewitt@cio.com 

Financial  Services 

Elana  Varon,  evaron@cio.com 

Health  Care 

Alison  Bass,  abass@cio.com 

Manufacturing,  Business-to-Business 

Christopher  Koch,  ckoch@cio.com 

Manufacturing,  Business-to-Consumer 

Susannah  Patton,  spatton@cio.com 

i 

Public  Sector 

Allan  Holmes,  aholmes@cio.com 

Retail 

Meridith  Levinson,  mlevinson@cio.com 

Transportation 

Stephanie  Overby,  soverby@cio.com 


BUSINESS  & 

TECHNOLOGY 

Architecture 

Christopher  Koch,  ckoch@cio.com 

Customer  Relationship  Management  (CRM) 

Alison  Bass,  abass@cio.com 

E-Commerce,  Business-to-Business 

Christopher  Koch,  ckoch@cio.com 

E-Commerce,  Business-to-Consumer 

Meridith  Levinson,  mlevinson@cio.com 

Emerging  Technology 

Christopher  Lindquist,  clindquist@cio.com 


Book  Reviews 

Elana  Varon,  evaron@cio.com 

By  the  Numbers 

Lorraine  Cosgrove  Ware,  lcosgrove@cio.com 

Essential  Technology 

Christopher  Lindquist,  clindquist@cio.com 

Executive  Coach 

Edward  Prewitt,  eprewitt@cio.com 

Forum 

Cheryl  Asselin,  cassetin@cio.com 

From  the  Editor 

Abbie  Lundberg,  lundberg@cio.com 

From  the  Publisher 

Gary  Beach,  gbeach@cio.com 


Enterprise  Resource  Planning  (ERP) 

Ben  Worthen,  bworthen@cio.com 

Integration 

Christopher  Koch,  ckoch@cio.com 

Leadership  and  Management 

Edward  Prewitt,  eprewitt@cio.com 

Legislation  and  Regulation 

Allan  Holmes,  aholmes@cio.com 
Ben  Worthen,  bworthen@cio.com 

Outsourcing 

Stephanie  Overby,  soverby@cio.com 

Public  Sector  (Government  IT) 

Allan  Holmes,  aholmes@cio.com 

Risk  Management 

Allan  Holmes,  aholmes@cio.com 

Security/Privacy 

Scott  Berinato,  sberinato@cio.com 
Allan  Holmes,  aholmes@cio.com 

Staffing 

Stephanie  Overby,  soverby@cio.com 

Supply  Chain  Management 

Ben  Worthen,  bworthen@cio.com 

Vendor  Management 

Scott  Berinato,  sbennato@cio.com 
Susannah  Patton,  spatton@cio.com 

Web  Services 

Christopher  Lindquist,  clindquist@cio.com 
Elana  Varon,  evaron@cio.com 

Workforce  Connectivity 

(Wireless,  Collaboration  Technologies) 

Thomas  Wailgum,  twailgum@cio.com 


Keynote 

Alison  Bass,  abass@cio.com 

Michael  Schrage 

Alison  Bass,  abass@cio.com 

On  the  Move 

Meridith  Levinson,  mlevinson@cio.com 

Peer  to  Peer 

Alison  Bass,  abass@cio.com 

Total  Leadership 

Elana  Varon,  evaron@cio.com 

Trendlines 

Elana  Varon,  evaron@cio.com 

Washington  Watch 

Allan  Holmes,  aholmes@cio.com 
Ben  Worthen,  bworthen@cio.com 


InBox 

Cheryl  Asselin,  casseiin@cio.com 


e-mail  letters@cio. com  phone  508  872-0080  fax  508  879-7784  address  CIO  Magazine.  CXO  Media  Inc. 
492  Old  Connecticut  Path,  P.O.  Box  9208,  Framingham,  MA  01701-9208  website  www.cio.com 
subscriber  services  866  354-1125  •  Fax  847  564-9453  •  E-mail  cio@omeda.com 
reprint  services  Jesse  Levy  •  PARS  International  •  212  221-9595  ext.  123  •  E-mail  jesse@parsintl.com 
rights  and  permission  Yadira  Pizarro  •  212  221-9595  ext.  231  •  E-mail  yadira@parsinti.com 


COLUMN  &  DEPARTMENT  CONTACTS 


14 


OCTOBER  15,  2005  |  www.cio.com 


Sterling  Commerce  leads  the  world  in  helping 
businesses  collaborate  with  their  partners. 


Of  course,  we've  had  a  30  year  head  start. 


For  over  30  years,  Sterling  Commerce  has  led  the  industry  in  helping  successful  organizations  work  more 
effectively  with  suppliers,  subsidiaries  and  customers.  Now,  with  the  first  platform  to  meet  all  the  challenges 
of  real-world  multi-enterprise  collaboration,  Sterling  Commerce  can  help  you  achieve  end-to-end  visibility, 
and  real-time  control  over  shared  business  processes.  So  you  can  make  faster,  better-informed  decisions  to 
help  cut  costs  and  accelerate  time  to  market.  In  fact,  a  majority  of  the  world's  leading  companies  already 
depend  on  us.  That's  a  tough  act  to  follow.  Contact  us  today.  Or  visit  us  at  www.sterlingcommerce.com 

BUSINESS  APPLICATIONS  /  BUSINESS  INTEGRATION  /  BUSINESS  INTELLIGENCE  /  BUSINESS  PROCESS  MANAGEMENT  /  SOLUTION  DELIVERY 


sterling  commerce 


©2005  Sterling  Commerce,  Inc.  ALL  RIGHTS  RESERVED.  Sterling  Commerce  and  the  Sterling  Commerce  logo  are  trademarks  of  Sterling  Commerce,  Inc.  Sterling  Commerce  is  an  SBC  Communications  Inc.  company. 


- j-4 

READER  FEEDBACK 

InBox 


Thanks  for  Two  Timely 
Articles 

I  want  to  compliment  you  on  the 

quality  and  content  of  recent  magazines. 

In  particular,  the  July  1  article  by  Ben 
Worthen,  “How  to  Dig  Out  from  Under 
Sarbanes-Oxley,”  and  the  July  15  “Wake-Up 
Call”  by  Alice  Dragoon  were  two  of  the 
best,  most  timely  pieces  of  information  I 
have  received  in  my  15  years  as  a  CIO. 

As  a  result  of  Worthen’s  article,  we  were 
able  to  have  a  conversation  with  our  audi¬ 
tors  and  reduce  the  number  of  key  IT  con¬ 
trols  for  Sarbanes-Oxley  from  89  to 
66— the  other  23  just  weren’t  directly  rele¬ 
vant  to  our  company’s  financial  controls 
[or  the]  integrity  of  our  financial  reporting. 

Dragoon’s  article  crystallized  many  of 
the  concepts  we  have  been  wrestling  with 
for  our  call  centers,  and  we  plan  to  use 
many  of  the  recommendations  for  trans¬ 
forming  our  call  centers  to  a  source  of 
competitive  advantage  in  our  new  IT  strat¬ 
egy,  which  will  be  published  in  October. 

I  just  can’t  tell  you  how  strongly  I 
appreciate  both  writers’  work  and  the 
direct  impact  it  has  had  on  how  I  help 
manage  our  business. 

LESLIE  H.  DUNCAN 

VP&CIO 
Atmos  Energy 

les.duncan@atmosenergy.com 


Unpredictability  in 
Requirements: 

Nature  of  the  Beast 

To  argue  the  difference  between 
missed  requirements  versus  changing 
requirements  is  futile  [“No  Crystal  Ball  for 
IT,”  July  15].  From  a  customer  vantage 
point,  it’s  unimportant  and  just  serves  as 
semantics  to  widen  the  gap  between  IT 
and  its  customer  base. 

IT  and  software  engineering  deal  with  a 
lot  of  unpredictability.  It’s  not  a  bad  thing.  It 
just  is.  Regardless  of  how  mature  and  for¬ 
mal  the  software  engineering  process  is, 
developing  software  is  closer  on  the  pre¬ 
dictability  scale  to  “waging  a  war”  than  it  is 
to  “paving  a  road.”  Too  many  unknowns, 
changing  or  missed  requirements,  chang¬ 
ing  technology,  unproven  architectures  and 
tools,  unpredictable  staffing  market,  a 
fickle  customer  base— the  list  goes  on. 

The  automotive  industry  has  it  right.  It 
comes  up  with  a  concept  car  first,  then 
takes  the  time  to  make  it  consumer-ready. 
We  often,  in  creating  software,  do  not  take 
this  two-step  approach.  We  can’t  afford 
not  to.  So  we  keep  turning  up  concept 
projects,  tweaking  them  as  we  go  to  make 
them  more  palatable  to  the  consumers. 

There  is  no  magic  bullet  here.  The  use 
of  software  engineering  best  practices  is 
necessary  but  not  sufficient.  The  question 
we  have  to  ask  ourselves  is  the  following: 
Are  we  willing  to  pay  the  price  tag  for 
what  it  would  cost  to  develop  robust, 
industrial-strength  software,  or  are  we 
plagued  forever  to  produce  toy  products? 

MOEZ  CHAABOUNI 

CIO 

Hondros  College 
moez@hondros.edu 

As  business  leaders,  it  is  up  to  us  to 

define  the  business  before  any  attempt  is 
made  to  define  the  requirements  for  the 
various  IT  projects  we  manage. 


We  must  think  outside  the  shipping  box 
that  the  system  was  delivered  in.  We  must 
begin  thinking  about  our  needs  as  we  start 
to  do  the  strategic  planning  cycles.  We 
must  incorporate  our  business  process 
design  when  we  shape  the  business  models 
and  consider  the  tactical  plans  for  deploy¬ 
ing  the  business  activities.  We  must  deliber¬ 
ately  plan  for  how  the  business  processes 
become  actualized  in  policies,  procedures, 
training  manuals,  employee  instructions, 
customer  information  and  even  the 
design  of  the  service  or  product  offerings 
themselves.  Once  we  have  designed  (or 
redesigned,  as  the  case  may  be)  the  business 
processes,  we  have  the  structure  of  what  is 
needed  as  inputs  to  the  system  planning. 

On  the  issue  of  financing,  I  couldn’t  agree 
more  with  the  article.  There  are  many  exam¬ 
ples  of  project  costs  seeming  to  spiral  out  of 
control.  The  International  Space  Station  is  a 
good  example.  Many  reports  suggest  that  we 
should  abandon  the  whole  thing  because 
costs  have  risen  far  beyond  the  original  few 
billion  it  was  supposed  to  cost.  This  problem 
was  due  to  scope  changes  that  were  not 
anticipated.  Can  we  really  blame  the  proj¬ 
ect?  Surely  we  simply  failed  to  correctly 
define  the  scope  of  the  project.  We  failed  to 
manage  inputs,  outputs,  processes,  quality 
and  product  characteristics.  A  large  frac¬ 
tion  of  IT  projects  are  considered  failures. 
Of  those  that  succeed,  many  run  well 
beyond  the  original  investment  threshold 
and  do  not  live  up  to  their  ROI  claims. 

KENT  HOPKINS 

CIO 

khopk@usa.net 


What  Do  You  Think? 


Send  your  thoughts  and  feedback  to 
letters@cio.com.  Letters  may  be  edited  for 
length  or  clarity.  For  a  link  to  the  articles 
mentioned,  go  to  www.cio.com/101505. 

cio.com 


16 


OCTOBER  15,  2005  |  www.cio.com 


Oracle  Database 


World's  #1  Database 


fs/oW 

A 


For  Small  Business 


Easy  to  use.  Easy  to  manage. 
Only  $149  per  user. 


oracle.com/standardedition 
or  call  1.800.633.0753 

Terms,  conditions,  and  limitations  apply.  Pricing,  specifications,  availability  and  terms  of  offers  may  change 
without  notice.  Taxes,  fees  and  shipping  charges  extra,  vary  and  are  not  subject  to  discount.  Oracle 
Database  Standard  Edition  One  is  available  with  Named  User  Plus  licensing  at  $149  per  user  with 
a  minimum  of  five  users  or  $4995  per  processor.  Licensing  of  Oracle  Standard  Edition  One 
is  permitted  only  on  servers  that  have  a  maximum  capacity  of  2  CPUs  per  server. 

For  more  information,  visit  oracle.com/standardedition 

Copyright  ©  2005,  Oracle.  Oracle,  JD  Edwards,  PeopleSoft  and  Retek  are  registered  trademarks  of  Oracle  Corporation  and/or  its  affiliates. 

Other  names  may  be  trademarks  of  their  respective  owners. 


BOARD  OF  ADVISERS  '05 


CIO  wishes  to  acknowledge  the  2005  Editorial  Advisory  Board  members  for  their  ongoing 
guidance  and  reality  check  of  the  magazine’s  content  and  focus.  We  thank  them  for  their 
generosity  in  sharing  their  insight  into  the  world  of  IT  leadership. 


GREGOR  BAILAR 

PAUL  J.  GAFFNEY 

SHELEEN  QUISH 

CIO 

EVP,  Supply  Chain 

VP,  Corporate  Marketing  &  Global 

Capital  One 

Staples 

CIO 

Falls  Church,  Va. 

Framingham,  Mass. 

U.S.  Can 

DOUG  BARKER 

ANDY  GEISSE 

Lombard,  Ill. 

CEO 

CIO 

REBECCA  R.  RHOADS 

Barker  and  Scott  Consulting 

SBC  Communications 

CIO 

Washington,  D.C. 

San  Antonio 

Raytheon 

WAYNE  D.  BENNETT 

JOHN  GLASER 

Lexington,  Mass. 

Partner 

VP  &  CIO 

LARAINE  RODGERS 

Bingham  McCutchen 

Partners  Healthcare 

President 

Boston 

Boston 

The  LR  Group 

LARRY  BONFANTE 

SCOTT  HEINTZEMAN 

Scottsdale,  Ariz. 

CIO 

CIO 

JAMES  F.  SUTTER 

United  States  Tennis  Association 

Carlson  Marketing  Group 

Senior  Partner 

White  Plains,  N.Y. 

Plymouth,  Minn. 

The  Peer  Consulting  Group 

DENNIS  CALLAHAN 

C.  LEE  JONES 

Newport  Beach,  Calif. 

EVP  &  CIO 

Chairman,  President 

RICHARD  W.  SWANBORG  JR. 

The  Guardian  Life 

&CEO 

President 

Insurance  Co. 

Essential  Group 

ICEX 

New  York  City 

Gurnee,  Ill. 

Boston 

SHEILA  DONAHOE 

SUSAN  S.  KOZIK 

PATRICIA  WALLINGTON 

CIO 

EVP  &  CTO 

President 

Bluegreen 

TIAA-CREF 

CIO  Associates 

Boca  Raton,  Fla. 

New  York  City 

University  Park,  Fla. 

MICHAEL  EARL 

BUD  MATHAISEL 

ROBERT  P.  WEIR 

Professor  of  Information 

Corporate  VP  &  CIO 

VP,  Information  Services 

Management,  Dean  of 

Solectron 

Northeastern  University 

Templeton  College 

Milpitas,  Calif. 

Boston 

Oxford  University 

Oxford,  England 

RON  J.  PONDER,  PhD 

STEVE  WILLIAMS 

EVP  &  CIO 

SVP&CIO 

WellPoint 

Mattress  Giant 

Indianapolis 

* 

Addison,  Texas 

18 


OCTOBER  15,  2005 


www.cio.com 


'Wireless  service  plan  required  Email  and  web  require  wireless  data  services  and  additional  charges  apply.  Coverage  not  available  everywhere.  'Offer  good  with  the  purchase  of  10  or  more  Treo  650 
smartphones  from  Cingular.  While  supplies  last.  'Trial  includes  up  to  5  Treo  650  smartphones,  the  GoodLink  server,  the  client  software  and  the  service  plan.  Prepayment  required  for  Treo  650  smartphones 
used  for  trial.  Offer  not  available  in  Cingular  Wireless  stores  or  independent  agent  stores.  Other  conditions  and  restrictions  apply.  Screen  image  simulated.  ©2005  Palm,  Inc.  All  rights  reserved.  Palm 
and  Treo  are  among  the  trademarks  or  registered  trademarks  owned  by  or  licensed  to  Palm,  Inc.  Cingular,  the  "Graphic  Icon"  design,  and  "raising  the  bar"  are  either  trademarks  or  registered  trademarks . 


Now  both  business  and  IT  people  can  get  what  they  want  in  a  mobile  solution. TheTreo  650  smartphone  with  GoodLink  combines 
phone,  Internet,  and  real-time  wireless  access  to  Microsoft8  Outlook  email,*  contacts,  calendar,  tasks  and  notes.  And  with 
over-the-air  deployment,  enterprise-class  security,  and  device  management,  everybody's  job  will  be  easier.  Get  it  all  from  Cingular 
on  the  nation's  largest  digital  wireless  voice  and  data  network.  www.Cingular.com/GoodlinkTreoPromo  It  S  tilTI6  for  TrGO. 

From  9/1  through  10/31,  get  a  FREE  GoodLink  Server 
&  Support  Starter  Pak  and  FREE  Treo  650  business 
accessory  kits.  A  minimum  $2800  value/ 

To  test  drive  risk  free  for  30  days/  call  your  Cingular 
Business  Representative  or  1-800-363-1351. 


palm]  Good 


X  cingular 

raising  the  barr.iill 


5, 

HPkln  M 

■m,  v*  *•  -It 

4s "  ; :  7i  .  M 


Your  sales  force  will  love 
sending  more  email. 
The  IT  folks  will 
love  getting  less. 


A'i---''  5; 


of  Cingular  Wireless  LLC.  Good.  Good  Technology,  the  Good  logo,  and  GoodLink  are  trademarks  or  registered  trademarks  of  Good  Technology,  Inc.  All  other  marks  are  property  of  their  respective  owners 


The  Power  to  Know  why  other  Bl  vendors  have  arrived  too  late. 


WANT  PROOF? 

Hear  from  industry  experts, 
analysts  and  customers 
about  proven  successes  with 
SAS  Business  Intelligence. 

BetterManagement  LIVE 
Worldwide  Business  Conference 
Las  Vegas,  NV,  USA 
October  26-27,  2005 


While  other  vendors  are  playing  catch-up  — by  just  now  introducing  their  Bl  approaches  — 
SAS  continues  to  lead  the  way  in  the  business  intelligence  market.  When  you  consider 
investing  in  or  upgrading  your  current  Bl  software,  talk  to  SAS  about  our  proven  successes. 

■  Unmatched  Enterprise  Intelligence  Platform 

■  Nearly  30  years  of  Bl  experience 

■  Undisputed  leader  in  business  analytics 

•  More  than  4  million  users  at  over  40,000  locations  worldwide 

■  At  work  in  94%  of  FORTUNE  Global  500'  companies 


sas9 


go  Beyond  BP  at  www.sas.com/sasBI  •  Analyst  case  study 


jSclS. 


THE 
POWER 
TO  KNOW 


!>tenxl  trade* 'narks  or  trademarks  of  SAS  Institute  Inc.  in  the  USA  arx!  other  countries.  ®  indicates  USA  registration.  Other  brand  and  product  names  are  trademarks  of  the*  respective 


xmporites 


ILLUSTRATION  BY  ALISON  SEIFFER;  PHOTO  BY  DAVID  J.  PHILLIP/AP 


China’s  Bet 
on  Linux 

The  world’s  largest  market  turns  to  free  software 

J 

open  source  As  China  prepares  to  become  a  full  member  of  the  World 
Trade  Organization,  the  Beijing  government  is  trying  to  prove  to  the  West 
that  it  is  serious  about  reducing  software  piracy.  And  so  China’s  government 
agencies  and  businesses  are  turning  to  Linux  as  their  desktop  operating 
system  of  choice,  a  trend  with  potential  to  influence  how  the  world  uses  the 
open-source  software. 

Recently  Linux  has  become  increasingly  popular  as  a  server  operating 
system  but  has  been  slower  to  catch  on  at  the  desktop  due  to  the  difficulties 
IT  departments  have  finding  or  developing  enterprise-quality  Linux  desktop 
applications.  According  to  Gartner,  only  about  1  percent  of  companies  in  the 
United  States  and  Europe  currently  use  Linux  on  the  desktop,  and  only 
3.2  percent  are  expected  to  by  2008. 

Linux  appeals  to  users  in  China  because  it’s  free,  it  can  be  deployed  with¬ 
out  running  afoul  of  international  copyright  Continued  on  Page  22 


Are  You  at  Risk  in  a 

Catastrophe? 


RISK  MANAGEMENT 

The  eventual  recovery  of  the  busi¬ 
nesses  devastated  by  the  recent 
hurricane  season  comes  down  to 
the  effectiveness  of  their  disaster 
planning.  A  catastrophe  on  the 
scale  of  Katrina  could  be  impossi¬ 
ble  to  plan  for  fully,  but  compa¬ 
nies  can  do  more  to  understand 
their  risks  and  develop  strategies 
to  mitigate  them. 

Roberta  Witty,  a  research  vice 
president  with  Gartner,  says  most 
companies  aren’t  prepared  for  a 
regional  disaster.  "Most  compa¬ 
nies  are  looking  at  the  kind  of 


events  that  would  impact  [only] 
themselves,"  she  observes. 

“They  have  a  fire  in  the  building, 
or  there’s  a  power  outage  at  their 
data  center." 

Free  software  made  available 
earlier  this  year  by  the  National 
Institute  of  Standards  and  Tech¬ 
nology  is  intended  to  help  compa¬ 
nies  do  a  better  job  anticipating 
the  damage  to  their  facilities 
from  extreme  events  that  occur 
infrequently— a  natural  disaster 
or  terrorist  attack,  for  example, 
says  Robert  Chapman,  a  NIST 
economist. 


NIST’s  Cost-Effectiveness 
Tool  for  Capital  Asset  Protection 
provides  companies  with  a  pro¬ 
cess  to  help  them  develop  risk 
mitigation  plans.  First,  the  soft¬ 
ware  enables  the  assessment  of  a 
building’s  vulnerability  to  a  variety 
of  extreme  conditions,  including 
high  winds  and  flooding. 

Once  the  risks  are  identified, 
the  software  can  suggest  strate¬ 
gies  to  reduce  the  chances  of  a 
disaster  affecting  a  company  or 
to  decrease  potential  damage. 

Lastly,  the  software  guides 
users  through  an  economic 
analysis  that  helps  them  evaluate 
the  planning,  maintenance  and 
installation  costs  of  various 
mitigation  strategies. 

-Cassidy  Healzer 


www.cio.com  |  OCTOBER  15,  2005 


Go  West, 

Job  Seekers 

STAFFING  IT  professionals  seeking 
work  have  the  best  chance  of  finding 
jobs  on  the  West  Coast,  according  to 
Robert  Half  Technology,  an  employ¬ 
ment  services  company. 

Nationally,  16  percent  of  CIOs  plan  to 
hire  staff  in  the  fourth  quarter  this  year, 
the  highest  net  increase  since  the  third 
quarter  of  2002,  according  to  the  “Robert 
Half  Technology  IT  Hiring  Index  and 
Skills  Report.” 

The  West  Coast  is  expected  to  produce 
the  most  new  jobs,  with  21  percent  of  CIOs 
there  saying  they  plan  to  add  new  workers. 

A  close  second  is  the  mid-Atlantic  region; 

20  percent  of  CIOs  in  that  region  plan  to  hire 
new  workers.  New  England  and  the  Moun¬ 
tain  States  offer  the  fewest  opportunities. 

Business  growth  is  the  biggest  factor  driv¬ 
ing  hiring,  with  36  percent  of  CIOs  surveyed 
citing  it  as  the  reason  they  are  adding  staff. 

Companies  in  finance,  insurance  and  real 
estate  are  likely  to  be  the  most  aggressive 
employers  during  the  quarter.  Networking 
professionals,  Web  and  applications  devel¬ 
opers,  database  administrators,  and  soft¬ 
ware  engineers  are  in  the  greatest  demand. 

-Nancy  Gohring 


Chinese  Linux _ 

Continued  from  Page  21 

agreements  and  it  is  easily  customized  to  fit  local  needs. 

Because  China  has  1.3  billion  citizens  who  are  potential  end 
users,  the  country’s  widespread  adoption  of  desktop  Linux 
will  push  Linux  developers  to  create  better  desktop  software, 
says  Dan  Kusnetzky,  VP  of  system  software  research  with  I  DC 
(a  sister  company  to  CIO’s  publisher). 

Although  China  isn’t  unique  in  its  focus  on  desktop  Linux— 
Kusnetzky  notes  some  pilot  projects  in  Europe  (the  city  of 
Munich,  for  example,  and  the  Banca  Popolare  di  Milano  in 
Italy)  and  in  South  America  (among  government  agencies  in 
Brazil  and  Venezuela)— “anytime  there  are  large-scale  installa¬ 
tions,  it  has  an  impact  on  what  the  open-source  community 
knows  how  to  do.” 

According  to  China’s  Ministry  of  Information  Industry  (Mil), 
almost  70  percent  of  all  software  purchases  last  year  were  of 
Linux-based  products.  Meanwhile,  provincial  governments, 
installed  45,000  desktops  with  Linux  operating  systems. 

Now  private  businesses  are  following  suit.  Local  government 
agencies  are  subject  to  a  national  mandate  to  install  legal  copies 
of  software  by  the  end  of  this  year,  says  Qi  Zhang,  who  heads 
Mil’s  electronics  and  information  products  department. 

Early  adopters  of  desktop  Linux  include  major  enterprises 
such  as  government-owned  railways  and  telecom  companies, 
says  Chris  Zhao,  president  of  Red  Flag,  a  major  Chinese  Linux 
vendor.  Tokyo-based  Turbolinux  recently  announced  an  enter¬ 
prisewide  deployment  with  China’s  largest  commercial  bank, 
the  Industrial  and  Commercial  Bank  of  China. 

Chinese  users  are  running  open-source  versions  of  Office  as 
well  as  homegrown  software  designed  for  specific  applications, 
such  as  the  software  used  by 
bank  tellers. 

Meanwhile,  the  Chinese 
government  is  considering 
requiring  that  government 
agencies  use  open-source 
software.  Such  a  rule  would 
indirectly  benefit  open-source 
software  developers  in  China, 
because  there  are  relatively  few  Chinese  software  companies 
that  sell  their  own  proprietary  products.  During  the  summer, 
Red  Flag  and  several  other  open-source  vendors  formed  a  part¬ 
nership  to  jointly  develop  software  and,  possibly,  to  merge.  The 
relationship  is  considered  essential  for  China’s  software  indus¬ 
try  to  compete  internationally,  according  to  Shouqun  Lu,  presi¬ 
dent  of  the  China  Open  Source  Software  Promotion  Union. 

Meawhile,  Novell  plans  to  open  a  research  and  development 
center  in  Beijing  by  the  end  of  the  year.  Lolley  Luo  Wei,  Novell 
China’s  marketing  and  channel  director,  says  the  company 
expects  to  expand  its  business  in  China. 

-Maria  Trombly  (with  Wendy  Yu)  and  Sumner  Lemon 


45,000 

Linux  desktops  were 
installed  by  Chinese 
government  agencies 
during  2004. 


H 

S3 

n 

z 

O 

r 

M 

z 

n 

cn 


2  2 


OCTOBER  15,  2005  |  www.cio.com 


PHOTO  BY  GETTY  IMAGES 


THAT’S  BUSINESS  TRANSFORMATION,  YOUR  WAY. 

It’s  w  h  a  t  y  o  u  demand. 


SATYAM  DELIVERS. 


Satyam 

What  Business  Demands. 


One  Gatehall  Drive  Parsippany,  NJ  07054  1-800-450-7  605  www.satyam.com  US@satyam.com 

Americas  /  Europe  /  Asia-Pacific  /  Middle  East  /  Africa 


Answers 
at  Your 
Fingertips 

instant  messaging  Like  many  large 
organizations,  Cox  Communications  grapples 
with  two  conflicting  goals  for  customer  support: 
improving  it  while  keeping  costs  down. 

The  need  to  harmonize  these  clanging  principles 
led  Cox  to  implement  a  system  on  its  website  that 
uses  an  instant  messaging-like  interface  to  field 
customer  questions  via  an  automated  text  chat.  The 
system,  dubbed  Instant  Answers  and  deployed  last 
November,  costs  Cox  much  less  than  having  cus¬ 
tomer  service  representatives  answer  questions. 

Cox  provides  high-speed  Internet,  cable  TV 
and  telephone  services.  When  customers  visit 
the  support  section  of  Cox's  website,  they  have 
the  option  to  ask  questions  of  Instant  Answers’ 
"virtual  customer  service  representative.”  Those 
who  choose  it  are  taken  to  the  Instant  Answers 
interface.  Customers  then  ask  in  plain  English  how 
to  set  up  their  e-mail  application  or  inquire  about 
digital  cable  service.  Instant  Answers  helps  cus¬ 
tomers  refine  their  queries.  In  addition  to  returning 
answers,  it  also  provides  links  to  other  relevant 
parts  of  the  Cox  website. 

Through  surveys  during  the  months  after  the 
rollout,  Cox  found  that  between  9  percent  and 
11  percent  of  Instant  Answers  users  decided  not  to 
call  customer  support  because  the  chat  system 
answered  their  question,  says  Suzanne  Foy,  the 
company’s  director  of  customer  care  strategy  and 
support.  The  system  would  pay  for  itself  with  a  call 
avoidance  rate  of  only  2  percent  to  3  percent,  so  the 
results  are  exceeding  expectations,  Foy  says. 

Automated  service  agent  technology  has  been 
around  for  several  years,  but  adoption  has  been 
timid,  says  analyst  Michael  Osterman  of  Osterman 
Research.  However,  he  says,  its  popularity  is  rising, 
thanks  to  increasing  familiarity  with  IM  and  the 
need  for  lower  cost  customer  service. 

Agents  can  also  be  used  with  an  enterprise  IM 
system  to  help  employees  find  information  in  back¬ 
end  applications  and  databases.  This  is  the  plan 
at  IntelliCare,  which  operates  health-related  call 
centers. 

Agents  will  make  it  easier  and  faster  for  nurses 
to  find  the  information  they  need  to  help  patients, 
says  IntelliCare  CIO  Jeff  Forbes. 

-Juan  Carlos  Perez 


Washington  watc  h 


After  Hurricanes, 
Fed  IT  Falls  Short 

Disaster  assistance  website,  call  centers  frustrate  victims 


Out  of  the  devastation  of  the  Gulf 
Coast  this  hurricane  season  comes 
this  lesson  for  CIOs:  Know  how 
your  customers  want  or  need  to  do 
business  with  you,  and  set  up  your 
IT  infrastructure  accordingly. 

Hurricane  Katrina  victims 
applying  last  month  for  federal 
assistance  on  the  U.S.  Federal 
Emergency  Management  Agency 
website  had  to  have  Internet 
Explorer  Version  6  or  higher  to 
access  the  necessary  digital  forms. 
The  browser  is  compatible  only 
with  PCs  running  Microsoft  Win- 


Carpenter  ALAN  PERKINS  walks  past 
a  sign  put  up  by  another  resident  living  in  a 
tented  city  in  Bay  St.  Louis,  Miss. 

dows  98  and  higher.  Hurricane  vic¬ 
tims  who  used  older  PCs,  Macs  or 
Linux  computers  were  unable  to  fill 
out  the  forms  online. 

Compounding  the  problem,  the 
heavy  call  volume  on  FEM  A’s  toll- 
free  line  made  it  almost  impossible 
for  anyone  without  a  computer  to 
apply  for  assistance.  FEM  A’s  web¬ 
site  told  visitors  that  the  best  time  to 
call  was  between  2  a.m.  and  6  a.m. 


Eastern  time. 

About  a  third  of  Americans  do 
not  have  Internet  access  at  all,  and 
the  poor,  who  were  disproportion¬ 
ately  affected  by  the  hurricane,  are 
less  likely  to  be  Internet  users  than 
those  who  are  well-off,  according  to 
the  Pew  Internet  and  American  Life 
Project  in  Washington,  D.C. 

Mac  users  such  as  Gary  Mullins 
were  irked  by  FEMA’s  exclusion. 
Mullins,  who  had  brought  his 
mother  to  California  after  Katrina 
wiped  out  her  home  in  Mississippi, 
found  his  Mac  couldn’t  access  the 
online  application  when  he  tried  to 
help  his  mother  apply  for  assis¬ 
tance.  “This  smacks  of  a  serious 
leadership  failure  that  the  use  of  the 
Internet  is  reserved  for  only  the 
Windows  community,”  Mullins 
wrote  to  the  MacInTouch  website. 
About  5  percent  of  all  computer 
users  nationwide  use  a  Mac  or 
Linux  operating  system,  according 
to  IDC.  Almost  69  percent  of  Amer¬ 
icans  use  IE6  to  browse  the  Inter¬ 
net,  according  to  W3Schools. 

At  press  time,  FEM  A  was  still 
working  on  modifying  the  applica¬ 
tion  to  work  with  additional 
browsers. 

All  of  which,  says  the  Pew  pro¬ 
ject’s  director,  Lee  Rainie,  should 
underscore  the  importance  of 
knowing  who  your  customers  are. 
Otherwise,  you  have  to  acknowl¬ 
edge  that  you  won’t  serve  everyone. 

-Ben  Worthen  and 
Linda  Rosencrance 


24  OCTOBER  15,  2005  |  www.cio.com 


PHOTO  BY  MARK  HUMPHRFY/AP 


SCHRAGE  OH  WO  REPORT  MW  TO  THE  CfO  CAH  BE  SOOD  FOB  IT.  ANB  CiOs 


www.cio.com 

This  is  a  domestic  rate  only  (US  and  Canada). 

The  foreign  rate  is  $195.00  prepaid  in  U.S.  currency. 


SUBSCRIBE  TODAY! 

Yes,  please  enter  my  one-year  subscription 
(23  issues)  to  CIO  magazine,  and  bill  me  later 
for  $95.00! 


Name 


Title 


Company  Name 


Address 


City 


State  Zip 


□  Bill  me  □  Bill  my  credit  card  □  MC  □  VISA  □  AMEX 


Account  Number  Expiration  date 


Signature 


CIN05 


NO  POSTAGE 
NECESSARY 
IF  MAILED 
IN  THE 

UNITED  STATES 


BUSINESS  REPLY  MAIL 

FIRST-CLASS  MAIL  PERMIT  NO.  1020  FRAMINGHAM  MA 


POSTAGE  WILL  BE  PAID  BY  ADDRESSEE 


ATTN:  CIRCULATION  DEPARTMENT 
PO  BOX  9208 

FRAMINGHAM  MA  01701-9486 


VOL.  2  N  ).  1 


OCTOBER  CSO'OCTOBER  15  CIO 


> 


•r: 


Special  Report 

The  Shift  in 
Data  Security 


Stop  the 

Insider  T' 


CIO 


Custom  Publishing 
Advertising  Supplement 


Insiders  Pose 
the  Biggest 
Threat 

How  to  Protect 

Confidential 

Information 

What  Top 
Companies 
Are  Doing 


PART  1 

DATA  LOSS 


ADVERTISING  SUPPLEMENT 


PREVENTION 

Insiders  Pose 
The  Biggest  Threat 

to  Data  Security 


The  most  likely  threat  to  information  security  is  not  the 
typical  hacker,  virus,  or  worm,  but  rather  the  malicious 
or  careless  corporate  insider. 


SINCE  JANUARY  OF  2005  there  have  been  over  70 
publicized  data  security  and  privacy  breaches.  Over 
half  of  these  breaches  were  caused  by  “insiders,”  rather 


than  hackers.  This  signals  a  fundamental  change,  for 
the  first  time  ever,  the  insider  surpasses  the  hacker 


as  the  number-one  data  security  threat. 


It’s  easy  to  see  why  company  insid¬ 
ers,  not  hackers,  now  pose  the  greatest 
threat  to  data  security.  To  obtain  confi¬ 
dential  data,  an  intruder  or  hacker  has 


to  figure  out  how  to  break  into  the  net¬ 
work,  then  locate,  obtain,  and  distrib¬ 
ute  the  desired  data — all  without  being 
detected  by  today’s  highly  effective 


Insider  vs.  The  Hacker 


2005  Data  Security  Breaches 


Inadvertent  vs.  Malicious 


96%  of  leaks  are  due  to  faulty 
processes  or  oversight 


<1% 

1%  malicious  Other 
manager  —  / 

approved  /  I 


50% 

of  leakage 
is  due  to 
business 
process 


Data  compiled  from  industry  sources 

including  EPIC.org  and  PerkinsCoie.com.  Source:  Vontu  risk  assessment  findings. 


firewall,  network  security,  and  intru¬ 
sion-detection  systems. 

On  the  other  hand,  think  of  all  the 
people  inside  the  company  who  have 
ready  access  to  customer,  employee, 
product,  and  financial  data.  These 
same  people  also  have  instant  access 
to  the  Internet.  How  easy  is  it  for  a  call 
center  representative  to  e-mail  confi¬ 
dential  customer  data  to  a  personal 
Yahoo!  account?  Or  for  a  software 
engineer  to  send  source  code  out 
along  with  his  resume  to  a  competitor? 
And  what's  to  stop  an  administrative 
employee  from  leaking  quarterly  earn¬ 
ings  via  instant  messaging? 

With  easy  access  to  confidential 
data  and  the  Internet,  company  insid¬ 
ers  now  represent  the  biggest  threat  to 
data  security.  Whether  data  security 
policies  are  violated  inadvertently  or 
maliciously,  the  results  expose  the 
company  to  embarrassment,  lost  busi¬ 
ness,  costly  lawsuits,  and  regulatory 
fines.  Industry  analysts  have  identified 
company  insiders  as  the  leading  threat 
to  data  security. 


2 


ADVERTISING  SUPPLEMENT 


PART  21 

DATA  L OS S 


PREVENTION 


A  new  class  of  data  security  software: 

Data  Loss  Prevention 


Data  Loss  Prevention  Evolution 


Yesterday  Today 


With  data  protection  at  the  top  of 
security  executives’  agendas,  a  new 
class  of  security  software  has  emerged 
to  prevent  intellectual  property  and 
customer  data  from  being  leaked  over 
email,  webmail,  or  other  Internet  com¬ 
munications.  Some  analysts  call  it 
Data  Loss  Prevention,  others  Data 
Leak  Prevention;  either  way,  it’s  a  class 
of  software  every  Fortune  500  com¬ 
pany  should  understand  and  evaluate. 

What  Is  Data  Loss  Prevention? 
It’s  a  new  class  of  software  that 
enforces  data  security  policies  and 
discovers  confidential  information 
wherever  it  is  stored,  monitors  all  net¬ 
work  traffic,  and  blocks  web  and 
email  communications  that  violate 
data  security  policy. 

How  Does  it  Work?  First,  policies 
are  established  to  protect  key  data 
assets.  Then,  these  policies  are 
deployed  to  where  leaks  occur:  on 
inbound  and  outbound  network  traffic, 
desktops,  and  internal  file  stores. 

Communications  are  monitored 
and  selectively  blocked  to  prevent 
data  loss.  Other  features  include  inci¬ 
dent  response  workflow  and  reporting. 

Who  is  Using  It?  Fortune  500 
companies  and  government  agencies 
that  need  to  protect  their  data  assets, 
preserve  their  brand  reputation,  and 
demonstrate  compliance. 

So  What’s  Really  New  About  It? 
Often  times,  the  best  way  to  understand 
new  solutions  is  to  compare  them  with 
legacy  solutions  to  understand  the 
incremental  value-add  and  benefit,  (see 
chart  “Data  Loss  Prevention  Evolution”) 


Past  solutions  scanned  email  or 
web  activity  but  were  limited  to  key¬ 
words  and  other  simple  pattern 
recognition  capabilities.  All  too 
often,  these  solutions  blocked  legit¬ 
imate  communications  while  miss¬ 
ing  transmissions  where  sensitive 


information  was  leaked  out. 

Today’s  Data  Loss  Prevention 
solutions  monitor  and  scan  multiple 
protocols  (email,  webmail,  web 
post,  IM,  and  FTP),  and  are  highly 
accurate  to  deliver  no  false  positives 
or  false  negatives. 


3 


ADVERTISING  SUPPLEMENT 


DATA  LOSS 


PREVENTION 


Keys  to  Protect  Your 
Confidential  Information 


WHEN  EVALUATING  DATA  LOSS  PREVENTION  SOFTWARE, 

make  sure  you  have  a  clear  understanding  of  the  requirements  for 
successful  data  protection.  Not  all  vendor  solutions  are  alike,  and 
many  fail  to  provide  essential  features  of  a  best-in-class  solution. 
Below  is  a  high-level  list  of  questions  that  serve  as  a  guide  for 
evaluating  Data  Loss  Prevention  software  solutions. 


Enforce 

>  Does  the  solution  accurately  detect 
all  types  of  confidential  information? 

>  Is  accuracy  proven  at  high  loads  (i.e. 
50,000  users,  billions  of  messages 
per  day,  gigabit  line  speed)? 

>  Does  the  solution  automatically 
enforce  policies  with  options  for 
notification,  remediation  workflow, 
blocking,  quarantine,  and  encryption? 

>  Is  employee  privacy  safeguarded? 
How? 

>  Is  the  solution  proven  to  scale  to 
billions  of  messages  per  day,  hun¬ 
dreds  of  thousands  of  users,  gigabit 
network  speeds,  billions  of  data 
records,  and  gigabytes  of  content? 

>  Can  reports  be  generated  to 
measure  risk  over  time  and 
support  compliance? 

Monitor 

>  Does  the  solution  monitor  all 
network  protocols  (email,  webmail, 
instant  messaging,  FTP,  etc)? 

>  Is  there  continuous  monitoring 
for  ongoing  risk  reduction  and 
detection  of  new  threats? 

Prevent 

>  Can  the  solution  block  or 
redirect  select  email  and  web 
communications? 


>  Does  the  solution  enforce  enter¬ 
prise-wide  encryption  and  archiving 
policies? 

Discover 

>  Can  the  solution  find  confidential 
data  on  shared  servers,  web  servers, 
and  desktops? 

>  Is  the  solution  agent-less  or  does  it 
require  client  software? 

Vontu  Meets  the  Requirements.^ 
of  Fortune  500  Companies 

“Vontu’s  proven  leadership  in  the  For¬ 
tune  500  is  a  direct  result  of  responding 
to  market  requirements  and  giving 
executives  a  proactive  way  to  protect 
confidential  data  so  that  they  can  main¬ 
tain  the  trust  of  their  customers,  part¬ 
ners,  and  shareholders,”  says  Joseph 
Ansanelli,  CEO  of  Vontu. 

Vontu  allows  companies  to  discover 
where  confidential  information  is  stored 
on  file  servers,  web  servers,  and  desktops; 
monitor  network  traffic  for  confidential 
data;  and  prevent  confidential  data  from 
ever  leaving  the  company.  Vontu  5.0  also 
includes  automatic  enforcement  of  data 
security  and  encryption  policies. 

With  Vontu,  companies  reduce  the 
amount  and  severity  of  accidental  and 
malicious  data  loss  to  avoid  financial 


Five  Keys 
to  Protect 
Confidential 
Information: 


Deliver  high  accuracy  on  all 
confidential  data  types  (customer  data, 
patient  data,  intellectual  property) 


pduern  udid,  iriteuecuii 


Block  or  redirect  select  email  and  web 


communications 


Remediation 


Automatically  enforce  data  security 
policies  and  workforce  compliance 


Reporting 


Measure  risk  reduction  and  demonstrate 
compliance 


Automatically  enforce  employee 
compliance 


To  learn  more,  go  to 
www.vontu.com/5keys/asp 


losses,  protect  their  brand,  and  demon¬ 
strate  compliance  with  state  and  fed¬ 
eral  regulations. 

“To  protect  customer  trust  and  intel¬ 
lectual  property  as  well  as  demonstrate 
compliance,  enterprises  will  require 
Data  Loss  Prevention  solutions  that  not 
only  monitor  but  also  stop  the  transmis¬ 
sion  of  confidential  data  before  it  hap¬ 
pens,”  says  Dr.  Larry  Ponemon,  Founder 
and  Chairman,  The  Ponemon  Institute. 


4 


PROVEN  DATA  PROTECTION 


Vontu.  The  Only  Vendor  to  Meet  Fortune  500  Requirements. 

VONTU  5.0 

COMPETITION 

Percent  Fortune  500™  Customers 

>65% 

<5% 

Proven  Enterprise  Scale 

y 

Accurately  Detect  Customer  Data 

y 

Accurately  Detect  Intellectual  Property 

y 

y 

Block  Email  and  Web  Traffic 

y 

Scan  File  Systems  and  Desktops 

y 

Policy  Based  Remediation 

y 

Risk  and  Compliance  Reporting 

y 

Who  Will  You  Trust  With  Your  Reputation? 


VONTU 


www.vontu.com  or  call  1.415.364.8100 


J 


Note:  Fortune™  and  Fortune  500™  are  registered  trademarks  of  Time,  Inc.  There  is  no  relationship  between  Time,  Inc.,  and  Vontu,  Inc. 
implied  by  the  reference  to  Fortune™  magazine  and  the  Fortune  500™. 


©  2005  VONTU.  INC 


>  What  Every  CSO  and  CIO  Should  Know  about  New  Data  Security  Legislation 

Interview  with  Joseph  Ansanelli,  CEO  and  Co-Founder  of  Vontu,  Inc. 


Q:  You  recently  testified  before  House  and 
Senate  committees  looking  at  data 
security  legislation.  What's  the  mood  on 
Capitol  Hill  around  this  issue ? 


Joseph  Ansanelli 


Ansanelli:  Identity  theft  has  become  the 
number  one  consumer  complaint  to  the 
FTC,  which  estimates  approximately  10 
million  consumers  were  victims  in  2004. 
Identity  theft  has  gone  from  being  a  distant 
fear  to  a  stark  reality  for  many  consumers, 
and  they  want  something  done  now,  so 
Congress  is  under  a  lot  of  pressure  to  act. 

Q:  What  should  CSOs  and  CIOs  know 
about  pending  data  security  legislation? 


Ansanelli:  The  new  legislation  will  likely  set 
a  national,  preemptive  consumer  data 
security  law,  enforced  by  the  FTC.  In 
addition,  the  legislation  will  likely  apply  to 
all  companies  who  store  sensitive 
consumer  data,  and  will  not  be  limited  to 
financial  institutions.  Companies  will  be 
required  to  take  reasonable  measures  to 
secure  the  data  and  notify  consumers  of 
any  breach  that  might  result  in  identity 
theft  or  fraud.  Those  who  don't  will  face 
fines  and  maybe  even  individual  liability. 

Q:  What  are  the  key  legislative  issues  and 
how  will  they  be  resolved? 

Ansanelli:  Congress  has  to  determine  the 
specific  data  security  requirements  for 
companies.  They  will  probably  build  on  the 
Gramm-Leach-Bliley  Act  and  the  FTC 
Safeguards  Rule,  which  requires  financial 
institutions  to  have  a  security  plan  to 
protect  personal  consumer  information.  In 
addition,  since  half  of  all  breaches  are 
caused  by  insiders,  we  expect  companies 
will  have  an  increased  obligation  to  enforce 
both  employee  and  third-party  outsourcers 
compliance  with  data  security  rules. 


CEO  &  Co-Founder 
Vontu,  Inc. 


Q :  Can  new  laws  satisfy  both  businesses 
and  consumers? 

Ansanelli:  For  consumers,  the  new  law 
should  mean  fewer  incidents,  and  the 
notification  rule  will  help  consumers 
quickly  defend  against  identity  theft  when 
data  does  get  out.  For  businesses,  the 
national  security  standard  is  definitely  a 
good  thing,  because  companies  won't  have 
to  deal  with  a  patchwork  of  50  different 
state  regulations.  The  national  law  will  pre¬ 
empt  all  of  the  existing  state  laws  and  put 
everybody  on  the  same  page. 

Q:  How  will  the  new  regulations  change 
the  role  of  data  security  in  business? 

Ansanelli:  If  customer  data  or  company  IP 
gets  out,  companies  lose  money  and  their 
reputations  suffer,  which  makes  data 
security  a  business  issue.  Business 
managers  are  going  to  be  held  accountable 
for  data  security  as  part  of  their  objectives. 
For  information  security,  as  their  focus 
evolves  from  protecting  the  network  to 
protecting  critical  data,  security  and 
business  objectives  will  be  more  and  more 
closely  aligned. 

Q:  What  can  CSOs  and  CIOs  do  today  to 
prepare  for  the  regulations  of  tomorrow? 

Ansanelli:  First,  design  a  well  documented 
security  program  with  policies  that  cover 
the  physical,  technical,  and  procedural 
requirements  for  protecting  confidential 
data.  Second,  perform  risk  assessments 
against  real  and  anticipated  threats  and 
prioritize  areas  of  exposure  to  both  internal 
and  external  threats.  Third,  implement 
controls  that  secure  the  data  and 
proactively  enforce  compliance  by  your 
workforce,  as  well  as  third-party  business 
partners  with  whom  you  share  data.  And 
finally,  put  a  customer  notification  and 
assistance  plan  in  place  now.  Don't  wait 
until  a  crisis. 

Q:  Who  has  done  a  good  job  on  data 
security  compliance?  Who's  the  role 
model? 

Ansanelli:  Under  Gramm-Leach-Bliley  Act, 
financial  services  firms  have  been  doing 
data  security  compliance  for  five  years. 
They  are  the  best  practice  leaders  today, 
because  they  understand  how  to 
demonstrate  compliance  in  a  highly 
regulated  industry.  Industry  groups  like 
ISSA  and  IAPP  also  stay  on  top  of 
regulatory  bills  and  can  help  with 
compliance  information  and  training. 


ADVERTISING  SUPPLEMENT 


PART  41 

DATA  LOSS 


PREVENTION 

A  Case  Study: _ 

Data  Loss  Prevention 
Best  Practices 

Challenge: 

Operating  in  highly  competitive  insurance,  investment, 
and  real  estate  markets  worldwide,  this  financial  services 
firm  needed  to  figure  out  how  to  accelerate  information 
flow  to  service  customers  while  ensuring  that  its  data  dis¬ 
tribution  doesn’t  run  afoul  of  regulatory  requirements, 
snarl  planned  mergers,  acquisitions,  and  divestitures — 
and  remain  consistent  with  standards  for  its  outsourced 
business  partners  and  suppliers. 

Despite  rigorous  security  programs  run  by  experienced 
teams,  the  firm  suspected  that  some  of  its  sensitive  data,  cov¬ 
ering  customers,  employees,  and  its  own  operations,  was 
leaking  out.  As  a  result,  this  company  conducted  a  ‘bake  off 
involving  a  number  of  competitive  solutions  to  identify  the 
extent  of  the  problem  and  identify  requisite  action. 

Ultimately,  the  company  turned  to  Vontu. 

Solution: 

The  company  first  set  the  Vontu  solution  to  gauge  the  extent 
of  its  data-leakage  problem  and  completed  the  assessment 
involving  a  small  segment  of  the  company.  With  the  extent  of 
the  problem  in  the  test  area  revealed,  the  company  decided 
to  scale  the  inspection  of  outbound  flow  of  sensitive  data  to 
other  business  areas  as  well. 

Managing  an  extensive  amount  of  sensitive  data  on 
employees,  customers,  and  its  own  mergers  and  acquisi¬ 
tions,  the  company  sought  to  reduce  misappropriated  infor¬ 
mation  flow  (through  omission  or  commission)  by  its 
employees  and  business  partners. 

Benefits: 

The  Vontu  solutions  reduced  the  amount  of  outbound  flow  of 
sensitive  data  to  a  trickle,  while  identifying  new  problems. 

Subsequently,  the  firm  has  used  the  Vontu  solution  to: 

>  Advise  management  about  which  sensitive 
information  is  flowing  out  of  the  organization, 

>  Run  training  and  awareness  programs  for 
employees, 

>  Notify  line  managers  and  human  resources  about  prob¬ 
lem  situations, 

>  Stop  sensitive  data  from  flowing  outbound  to  unauth¬ 
orized  people  and  locations,  and 

>  Increase  SOX  compliance. 


This  is  a  real  case  study  from  the  Aberdeen  Group's  June 
2005  "Best  Practices  in  Security:  Information  and 
Access"  report.  The  customer  preferred  to  remain  anony¬ 
mous,  to  protect  confidentiality. 


"Vontu's  customer  was  selected  to  be  among  the  top 
10  winners  after  thorough  research  into  the  perform¬ 
ance  results  and  practices  of  hundreds  of  best-in-class 
companies  for  the  Best  Practices  in  Security  for 
Information  and  Access  report,"  says  Jim  Hurley,  Vice 
President  of  Research,  Security,  Compliance  and  Risk 
Management  at  Aberdeen  Group,  Inc.  "The  company 
was  able  to  reduce  and  then  eliminate  the  outbound 
flow  of  their  customer's  sensitive  data,  especially  data 
related  to  mergers  and  acquisitions." 


Lessons  Learned: 

The  company  has  learned  that  security  maturity  and  per¬ 
formance  results  are  mostly  about  people.  As  a  result,  focus¬ 
ing  on  the  people  part  of  security  will  probably  pay  bigger 
dividends  than  focusing  exclusively  on  the  technology. 

Another  important  lesson  is  to  sweep  everything — 
devices,  networks,  systems,  applications,  information,  peo¬ 
ple,  behavior,  and  usage  spikes,  as  well  as  all  detailed  inner 
workings.  Without  such  a  comprehensive  approach,  it’s 
impossible  to  know  where  the  performance  of  security  pro¬ 
grams  has  been,  or  could  be,  compromised. 

This  organization  has  rolled  out  its  controls  to  monitor 
compliance  down  to  the  technology  platforms  and  networks 
that  enable  its  business  operations.  It  anticipates  spending 
additional  time  on  the  people  part  of  SOX  compliance  and 
plans  to  continue  looking  at  additional  information  flow 
monitoring. 


To  read  the  full  report,  go  to 
www.vontu.com/aberdeenreport.asp 


t 


PART  5 

—  ...i  ■  . . - . 

DATA  LOSS 


ADVERTISING  SUPPLEMENT 


PREVENTION 


Preventing  Data  Loss: 
How  to  Begin 


GLBA,  HIPAA,  and  ISO  all  recommend  the 
same  starting  point.  Assess  your  risk  from 
“reasonably  anticipated  threats.” 

Here’s  how  to  get  started. 

IUse  risk  calculator  to 
gauge  your  threat  level. 

It  is  not  uncommon  for  companies  to  be 
surprised  by  the  quantity  of  potential  vio¬ 
lations  that  are  uncovered  in  the  risk 
assessment  process.  To  estimate  the 
potential  risk  to  your  company,  use  the 
calculator  to  the  right  to  quickly  gauge 
your  company’s  risk. 

2  Confirm  your  risk  with  a 
Vontu  Risk  Assessment 

Any  Data  Loss  Prevention  effort  should 
start  with  an  in-depth  risk  assessment  so 
you  can  measure  your  risk  of  data  loss. 
A  Vontu  Risk  Assessment  helps  organiza¬ 
tions  accurately  identify  and  quantify  their 
risk  of  confidential  data  loss  and  build 
processes  for  remediation.  In  a  typical  48- 
hour  engagement,  Vontu  helps  create  and 
implement  data  security  policies  tailored 
to  the  requirements  of  the  business,  and 
monitors  network  traffic  and  file  shares 
for  potential  violations.  The  end  deliver¬ 
able  is  a  Risk  Assessment  Report  with  key 
metrics  that  offers  preliminary  recommen¬ 
dations  to  reduce  risk  of  data  loss  based 
on  industry  best  practices. 


The  process 

>  A  48-hour,  on-site  engagement  by 
Vontu  professional  services. 

What  you  will  learn: 

>  How  much  and  what  type  of 
confidential  data  is  exiting  the  network? 

>  Who  is  transmitting  confidential  data 
outside  the  company? 

>  How  does  the  amount  of  data  leaving 
your  company  compare  to  the  industry 
average? 

>  What  compliance  requirements  are 
being  violated? 

The  risk  assessment 
report  deliverables 

>  Top  security  violations  by  data  type 
and  policy. 

>  Your  overall  risk  profile  compared 
to  industry  averages. 

>  Your  risk  of  non-compliance  with 
regulations. 

>  Business  processes,  policies,  and 
awareness  programs  required  to 
reduce  risk. 


Risk  Calculator 


Complete  this  formula  with  your 
company's  numbers  to  get  a  quick 
gauge  of  your  data  leakage  risk: 


Number  of  employees 


Number  of  emails  sent 
per  employee  per  day* 


-  B 


Multiply  box  A  by  Box  B 


C 


Divide  box  C  by  500** 


t  500 


Number  of  emails  per  day  that  may 
contain  confidential  data  and  cause 
potential  security  breaches. 

Result 

Is  this  an  acceptable  level  of  risk? 

*  10  is  the  average  number  of  emails  sent  outside  the 
network  per  day,  per  employee  for  a  10,000  company 
**Vontu  benchmark  data  -  industry  average  1  in  500 
emails  contain  confidential  data 

Go  to  www.vontu.com/ra.asp  to  learn  more. 


3  Implement  a  Data  Loss 
Prevention  solution  to 
protect  data 

If  your  risk  level  is  unacceptable,  begin 
preparation  to  deploy  a  best-in-class  Data 
Loss  Prevention  solution. 


O  VONTU 

For  more  information  on 
Data  Loss  Prevention,  go  to: 
www.vontu.com  or  call  415-364-8100 


8 


lieutenants— but  not 
yet  full-fledged  CIOs 


Candidates  will  be 
nominated  by  their  CIO  based 
upon  the  characteristics  iden¬ 
tified  in  the  application  at 
www.cio.com/awards. 
Candidates  may  also 
nominate  themselves  or 
be  nominated  by  another, 
but  all  nominations  must 
be  endorsed  by  a  CIO. 

A  panel  of  leading  CIOs  will 
judge  the  nominees  and 
choose  the  winners,  who 
will  be  featured  in  a  special 

July  issue  of  CIO. 

mm 


Winners  will  also 


Presented  by  CIO  magazine  and  the  CIO  Executive  Council 

CIO  Executive  Council 

The  Professional  Organization  for  CIOs 


be  honored  at  the  second 
annual  CIO  Leadership 
Conference  in  Boston, 
May  8 -9, 2006. 


The  Resource  for 
Information  Executives 


We  will 
accept  nominations  from 
Oct.  1- Nov.  30, 2005. 

For  more  information  on 
this  prestigious  award,  go 
to  www.cio.com/awards. 


How  to  Climb  the 
Corporate  Ladder 

Learn  to  fit  in  and  still  make  your  mark 


..  ,m,i  .tod  IM  «*••««••»  M'*"" 
»««»"•«"  i4u«ii  as  wcwson 

fit  in 

STAND 

OUT 


Fit  In,  Stand  Out:  The  Key  to  Leadership 
Effectiveness  in  Business  and  Life 

By  Blythe  J.  McGarvie 
McGraw-Hill,  2005,  $21.95 


book  review  Blythe 
McGarvie  has  done  well  in  the 
corporate  world,  first  as  a  CFO 
for  several  large  companies  and 
now  as  a  corporate  director  for 
Accenture  and  The  Pepsi  Bot¬ 
tling  Group,  among  others.  She 
believes  unabashedly  in  corpo¬ 
rations— their  moneymaking 
mission,  their  ability  to  do 
good  and  the  opportunities 
they  afford  for  career  success. 
Fit  In,  Stand  Out:  The  Key  to 
Leadership  Effectiveness  in  Busi¬ 
ness  and  Life  is  a  career  guide  to 
the  corporate  world. 

Business  success  boils  down 


BLYTHE 


to  two  actions,  says 
McGarvie:  fitting  in 
and  standing  out. 

Fitting  in  means 
finding  your  way  in  the  culture 
and  structure  of  a  company. 
People  who  are  new  to  an 
organization  or  a  position 
should  focus  on  showing  col¬ 
leagues  that  they  can  conform 
to  company  norms  and  are 
trustworthy  and  credible. 

Standing  out  means  separat¬ 
ing  yourself  from  the  corporate 
crowd.  Doing  outstanding  work 
is  not  enough— you  must  seek 
opportunities  to  be  noticed.  ____ _ 


«l-nSOFU,‘»r 

7V  Key  to  Leadership  Efpairene,, 

in  >"'<l  ,Afe 

McGARVIE 
„«»»«»,  .«««** 


While  it  is 
important  for 
employees  to 
demonstrate 
their  ability 
to  fit  in  at  the  start 
of  a  job,  the  ambitious  ones 
must  then  market  themselves  to 
move  upward. 

The  lengthiest  part  of 
McGarvie’s  book  is  devoted  to 
six  characteristics  that  people 
need  in  order  to  advance. 

These  characteristics 
include  financial  acuity— the 
development  of  deep  financial 
comprehension— which 
McGarvie  calls  the  most 
important  catalyst  for  gaining 


a  leadership  position;  integrity, 
an  attribute  that’s  important 
in  an  era  of  public  mistrust  in 
corporations;  and  global  citi¬ 
zenship,  necessary  for  success 
in  a  global  world. 

McGarvie  dresses  up  her 
framework  as  systems  think¬ 
ing,  which  is  a  theoretical 
approach  to  analyzing  how 
interactions  between  parts  of 
an  entity  affect  overall  per¬ 
formance.  That’s  a  stretch  in 
this  case— and  an  unnecessary 
one.  The  true  value  of  this 
book  is  in  its  practical  advice 
and  insights  based  on 
McGarvie’s  experience. 
_ -Edward  Prewitt 


A  COMPUTER  AT  ASTRONAUTS’  COMMAND 


The  Clarissa  system  is  designed  to  read 
instructions  for  procedures  to  astronauts 
such  as  EDWARD  M.  FINCKE 

(above),  making  it  easier  to  conduct  sci¬ 
entific  tests  while  floating  in  microgravity. 


Instead,  a  voice-operated  com¬ 
puter  named  Clarissa  has  been 
developed  to  help  the  astronauts 
with  their  work. 

The  system  was  created  to  give 


astronauts  a  hands-free  helper, 
says  Beth  Ann  Hockey,  project  lead  of  the  NASA  Ames  Research  Team. 
Clarissa  reads  aloud  instructions  to  procedures,  so  that  astronauts  can  give 
full  attention  to  the  tasks  at  hand.  The  system  had  a  successful  test  in  June, 
during  a  mission  to  the  International  Space  Station. 

Clarissa  is  a  far  cry  from  the  phone  banking  or  airline  flight  information 
systems  that  consumers  are  familiar  with.  Those  systems  are  directive,  lead¬ 


SPEECH  RECOGNITION 

Astronauts  must  feel  envy  for  the 
octopus.  Imagine  them  performing 
a  water  analysis.  The  task  requires 
astronauts  to  read  instructions 
from  a  manual  and  test  the  drink- 
ability  of  their  water  while  holding 
down  the  testing  apparatus- 
all  while  floating  in  microgravity. 

An  extra  six  arms  would  be  useful. 


ing  users  through  a  set  of  questions  for  which  there  are  limited  answers, 
such  as  an  account  number  or  the  word  “yes."  In  contrast,  Clarissa  is 
responsive,  constantly  at-the-ready  and  listening  for  relevant  commands. 

The  system  has  the  ability  to  distinguish  between  a  command  and  a  con¬ 
versation  that  might  include  the  same  words.  If  an  astronaut  says  to  a  col¬ 
league,  “I  told  the  computer  to  load  water  testing,”  Clarissa  does  nothing, 
recognizing  that  because  the  command  is  embedded  within  a  larger  sen¬ 
tence,  no  action  is  required.  If  however,  the  astronaut  says,  “Load  water  test¬ 
ing,"  the  system  loads  that  procedure  and  waits  for  the  next  command. 

This  capability  makes  Clarissa  more  “human,”  says  Hockey,  and  thus  eas¬ 
ier  to  interact  with.  (Astronauts  nixed  the  idea  of  a  Star  Trek- like  interface 
that  would  require  them  to  say  “computer”  before  every  command.)  But 
achieving  this  “human”  functionality  has  been  a  challenge  because  of  the 
innumerable  variations  in  what  people  say  and  how  they  say  it.  To  solve  this 
problem,  Jean-Michel  Renders,  a  researcher  from  Xerox,  developed  technol¬ 
ogy  that  enables  Clarissa  to  analyze  utterances  for  various  possible  mean¬ 
ings  and  learn  the  appropriate  response. 

Both  Hockey  and  Renders  say  Clarissa’s  technology  has  applications  in 
any  area  where  having  one’s  hands  free  is  important  or  useful.  Think  aircraft 
repair,  navigating  a  car  or  even  making  copies.  Imagine  being  able  to  tell 
your  printer,  “Make  five  double-sided  copies.”  Now  there’s  some  technol¬ 
ogy  we  can  all  use.  -Diann  Daniel 


26  OCTOBER  15,  2005  |  www.cio.com 


NEC  IP. 

A  multidimensional  solution  for  a  changing  world. 

To  maximize  the  benefits  of  IP  communications,  your  business  needs  more  than  technology. 
It  needs  a  partner  with  the  experience  to  deliver  a  multi-dimensional  solution  based  on  your 
unique  requirements.  At  NEC,  we  combine  the  resources  of  a  $45  billion  global  technology 
leader  with  over  a  century  of  communications  expertise.  The  result  is  a  comprehensive  open- 
platform  IP  solution  for  your  business  that  enables  a  swift  and  rewarding  transition  today,  and 
unlimited  growth  potential  tomorrow.  Advancing  businesses  communications:  just  another 
way  NEC  empowers  people  through  innovation.  1-800-338-9549 

www.necus.com/necip 


IT  SERVICES  AND  SOFTWARE  ENTERPRISE  NETWORKING  AND  COMPUTING  SEMICONDUCTORS  IMAGING  AND  DISPLAYS 


©NEC  Corporation  2005.  NEC  and  the  NEC  logo  are  Registered  Trademarks  of 
NEC  Corporation.  Empowered  by  Innovation  is  a  trademark  of  NEC  Corporation. 


Empowered  by  Innovation 


N  EC 


numbers 

BY  LORRAINE  COSGROVE  WARE 


Phishing  Sinks  Confidence 
in  E-Commerce 

Consumers,  fearing  ID  theft,  are  more 
cautious  about  shopping  online 

Consumer  confidence  in  the  security  of  their  online  transactions  is  slipping  due  to  the  growth  of 
phishing-related  fraud  and  identity  theft,  Gartner  reports.  As  a  result,  consumers  are  curtailing  their 
online  purchases. 

Phishing  is  the  sending  of  an  e-mail  by  cyberthieves  with  a  link  to  a  fake  website  that  is  disguised 
to  look  legitimate,  in  order  to  lure  recipients  into  divulging  personal  information.  Gartner  estimates 
that  73  million  adults  who  use  the  Internet  received  a  phishing  e-mail  between  May  2004  and 
May  2005,  and  that  2.4  million  online  shoppers  lost  money  as  a  direct  result  of  phishing. 

Most  of  the  losses  were  repaid  by  banks  and  credit  card  companies.  Nevertheless,  75  percent 
of  the  5,000  online  consumers  who  Gartner  surveyed  in  May  said  they  have  become  more  cautious 
about  where  they  shop  online,  and  one-third  reported  buying  fewer  items  than  they  would  typically 
purchase  due  to  security  concerns.  Eighty  percent  of  those  surveyed  said  they  now  trust  commercial 
e-mail  less,  while  85  percent  claimed  to  delete  unexpected  e-mails  without  ever  opening  them. 

Unless  companies  take  steps  to  combat  phishing,  the  report  says,  they  will  not  be  able  to  count 
on  online  selling  and  e-mail  as  methods  to  draw  customers. 


Number  of  consumers  receiving  phishing  e-mail: 

2004: 57  million  2005:  73  million 

In  the  past  12  months,  survey  respondents: 

Shopped  online 
Accessed  bank  accounts  online 

Paid  bills  online  63% 

Lack  of  trust  affects  online  behavior: 

I  am  more  cautious 

about  where  I  shop  online  |  75% 

I  buy  fewer  items  online  due 
to  my  security  concerns 

SOURCE:  Gartner 


33% 


f 


Practices: 


1]  Use  y°ur  website  to  edu- 
J  cate  customers  about 

fraudulent  sites.  Warn  them 
about  phishing  schemes  you 

know  about,  and  instruct  them 
hot  to  click  on  links  provided  in 

e-ma/ls  that  purport  to  be  from 

your  company.  Advise  them  to 

type  your  address  directly  into 
their  browsers  to  get  to  your 

site  If  possible,  provide  online 

customers  with  some  type  of 
authentication,  such  as  a  per¬ 
sonal, zed  greeting,  every  time 

they  visit. 

2  "j  Make  it  a  policy  not  to 

J  ask  customers  for  per¬ 
sonal  information  via  e-mail 

and  remind  them  frequently  of 

this  poircy.  Enforce  the  practice 
w'th  employees. 

3 1  Havea  Process  in  place 
-I  to  fake  action  against 

Phishers  when  attacks  occur 
and  to  reassure  customers.  ’ 

As  part  of  this  process,  collect 

information  from  customers 
about  the  attack.  specjfical(y> 
he  P  address  of  the  phisher. 

Contact  the  ,SP  and  reportthe 

incident,  and  then  call  law 

enforcement. 


» 

n 

2 

a 

r 

►H 

z 

n 

cn 


o 

< 


CD 

o 

I— 

o 

X 

Q- 


2  8 


OCTOBER  15,  2005  |  www.cio.com 


‘rV’ii 


Business  performance  on  an  entirely  new  scale.  The  first  reporting 
tool  to  reach  into  every  data  source  in  your  organization  and  deliver  fast,  flexible 
reports  to  everyone.  Crystal  Reports.®  A  key  component  of  the  world’s  only 
integrated  business  intelligence  platform.  The  fast  way  to  achieve  your  goals. 


Business  Objects 


The  Business  Objects  logo  and  Crystal  Reports  are  trademarks  or  registered  trademarks  of  Business  Objects  SA.  ©  2005  Business  Objects  SA.  All  rights  reserved. 


'M 


ThinkPad  recommends  Windows®  XP  Professional. 


YOU’RE  LOOKING  AT  THE 
MOST  SECURE  WIRELESS  PC. 


AND  THE  EASIEST  WAY 
TO  UNLOCK  IT. 


Availability:  All  offers  subject  to  availability.  Lenovo  reserves  the  right  to  alter  product  offerings  and  specifications  at  any  time,  without  notice.  Lenovo  is  not  responsible  for  photographic  or  typographic  errors.  'Pricing:  Prices  do  not  include  tax  or  shipping  or  recycling  fees  and  are  subject  to 
change  without  notice.  Reseller  prices  may  vary  Warranty:  For  a  copy  of  applicable  product  warranties,  write  to:  Warranty  Information,  PO.  Box  12195,  RTP,  NC  27709,  Attn:  Dept  UF2A/B203.  Lenovo  makes  no  representation  or  warranty  regarding  third  party  products  or  services  Footnotes: 
(1)  Mobile  Processors:  Power  management  reduces  processor  speed  when  in  battery  mode.  (2)  Wireless:  based  on  IEEE  802.11a,  802.11b  and  802. 1  lg  respectively.  An  adapter  with  lla/b,  llb/g  or  lla/b/g  can  communicate  on  either/any  of  these  listed  formats  respectively;  the  actual 
connection  will  be  based  on  the  access  point  to  which  it  connects.  (3)  Included  software:  may  differ  from  its  retail  version  (if  available),  and  may  not  include  user  manuals  or  all  program  functionality.  License  agreements  may  apply.  (4)  Memory:  For  PCs  without  a  separate  video  card,  memory 
supports  both  system  and  video.  Accessible  system  memory  is  up  to  64MB  less  than  the  amount  stated,  depending  on  video  mode.  (5)  Hard  drive:  GB  =  billion  bytes.  Accessible  capacity  is  less;  up  to  4GB  is  service  partition.  (7)  Thinness:  may  vary  at  certain  points  on  the  system  (8)  Travel 
Weight:  includes  battery  and  optional  travel  bezel  instead  of  standard  optical  drive  in  Ultrabay  bay.  if  applicable;  weight  may  vary  due  to  vendor  components,  manufacturing  process  and  options.  (9)  Internet  access  required;  not  included.  (10)  ThinkVantage  Client  Security  Solution:  requires 


centrino 


MOBILE 
TECHNOLOGY 


I 


ThinkPad  R50e 

DISTINCTIVE  INNOVATIONS 


ThinkPad  T43  with  Integrated 
Fingerprint  Reader 


ThinkVantage  Rescue  and  Recovery  - 
one-button  recovery  and  restore  solution 


Perfect  balance  of  performance  and  portability. 


THE  MOST  SECURE  WIRELESS  PC.  ONLY  ON  A  THINKPAD. 

Put  security  at  your  fingertips  when  you’re  on  the  road.  Literally. 
These  ThinkPad®  notebooks  feature  Intel®  Centrino™  Mobile 
Technology,  so  you  can  access  your  data  wirelessly  anytime.9 
And  with  our  Integrated  Fingerprint  Reader  (select  models),  it  all 
happens  with  one  finger  and  one  password.  These  innovations, 
combined  with  our  security  chip  and  security  software,  provide 
a  level  of  security  that  no  one  else  offers  as  a  standard  feature. 
Giving  you  the  most  secure  wireless  PC  available. 


SYSTEM  FEATURES 

Intel®  Centrino"  Mobile  Technology 
Intel®  Pentium®  M  Processor  725  (1.60GHz)1 
Intel®  PRO/Wireless  22QOBG  (802.1  lb/g); 

Microsoft'”  Windows™  XP  Professional3 

15"  XGA  TFT  Display  (1024x768) 

256MB  DDR  SDRAM4,  40GB  Hard  Drive5 

$949*  (P/N  1842QDU) 

ThinkPad  Premiere  Leather 
Carrying  Case 

$99  (P/N  10K0209) 

ThinkPad  Women's  Executive 
Red  Leather  Tote13 


DISTINCTIVE  INNOVATIONS 

ThinkVantage  Client  Security  Solution  6.010 
-  Strong  security  as  a  standard  feature 

SYSTEM  FEATURES 

Intel®  Centrino™  Mobile  Technology 
Intel®  Pentium®  M  Processor  740  (1.73GHz) 
Intel®  PRO/Wireless  2200BG  (802.11b/g) 

Microsoft®  Windows®  XP  Professional 

15"  XGA  TFT  Display  (1024x768) 

512MB  DDR2J5DRAM,  60GB  Hard  Drive 

Ultrabay  Slim  CD-RW/DVD  ROM  Combo 
Only  1“  thin  and  4.7-lb  travel  weight’ 
1-yr  limited  warranty11 
THINK  EXPRESS  MODEL 


$130 


(P/N  22P8858) 


1499 


(P/N  1875DLU) 


With  the  Think  Express  Program,  ThinkPad  notebooks  are  preconfigured  with  your  business,  and  your  budget,  in  mind. 


To  shop  or  locate  your  local  reseller 


Call  1  866-426-0007 

Go  to  thinkpad.com/security/m585 


ThinkPad  is  a  product  of  Lenovo. 


ThinkPad 


software  download.  (11)  Limited  warranty:  Support  unrelated  to  a  warranty  issue  may  be  subject  to  additional  charges,  (12)  Systems  with  limited  onsite  service:  are  designed  to  be  repaired  during  the  applicable  warranty  period  primarily  with  customer-replaceable  parts.  A  technician  will 
only  be  sent  onsite  to  perform  a  repair  if  (a)  remote  telephone  diagnosis  and/or  customer  part  replacement  are  unable  to  resolve  the  problem,  or  (b)  the  part  is  one  of  the  few  designated  by  Lenovo  for  onsite  replacement.  For  a  list  of  onsite  replaceable  parts,  contact  Lenovo.  Support  unrelated 
to  a  warranty  issue  may  be  subject  to  additional  charges.  (13)  Certain  IBM"  and  ThinkPad"  logo  products:  are  not  manufactured,  warranted  or  supported  by  IBM  or  Lenovo;  IBM  and  Lenovo  logos  and  trademarks  used  under  license.  Contact  Lenovo  for  details  Trademarks  the  following  are 
trademarks  of  Lenovo:  ThinkPad,  ThinkCentre  and  UltraConnect.  IBM  and  the  IBM  logo  are  registered  trademarks  of  IBM  and  are  used  under  license.  Microsoft  and  Windows  are  registered  trademarks  of  Microsoft  Corporation.  Intel,  Intel  logo,  Intel  Inside,  Intel  Inside  logo.  Intel  Centrino.  Intel 
Centrino  logo,  Celeron,  Intel  Xeon,  Intel  SpeedStep,  Itanium,  and  Pentium  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks  of  other 
companies.  ©2005  Lenovo.  All  rights  reserved  Visit  www.lenovo.com/safecomputing  periodically  for  the  latest  information  on  safe  and  effective  computing. 


mam 


Mike  Hugos 


TOTAL  LEADERSHIP 


How  to  Become  a 
Change  Agent 

If  you  want  people  to  follow  you,  take  a  walk  in  their  shoes 


I  have  always  been  fascinated  by  how  information  tech¬ 
nology  can  be  used  to  make  an  organization  more  com¬ 
petitive.  And  so  I  redesign  existing  business  processes 
and  design  new  processes  and  then  try  to  get  people  to 
buy  into  these  ideas. 

In  short,  I  am  a  change  agent. 

Sometimes  I  am  welcomed  like  a  new  coach  who  the  players 
believe  can  turn  around  a  losing  team.  Other  times  I  am  received 
like  a  government  tax  auditor  at  a  shareholders’  meeting.  Leading 
change  is  a  delicate  business.  We  all  agree  that  companies  need  to 
innovate  and  become  more  agile  to  compete  in  today’s  global  econ¬ 
omy.  But  on  the  road  between  this  general  agreement  and  any  new 
way  of  doing  something,  there  are  many  pitfalls  awaiting  the 
change  leader.  Change  stirs  up  a  lot  of  resistance  in  people.  As 
Mark  Twain  put  it,  “I’m  all  for  progress.  It’s  change  I  don’t  like.” 

A  leader  has  to  get  past  this  resistance  and  convince  others 
to  embrace  new  ways  of  doing  things.  But  first,  he  needs  to  get 
people  to  listen  to  what  he  has  to  say. 

Leading  by  Doing 

Some  years  ago  I  was  hired  to  be  a  director  of  systems  devel¬ 
opment  at  a  company  that  distributed  electric  wire  and  cable  and 
electronic  communication  systems.  After  I  had  been  with  the 
company  for  a  few  months,  the  COO  called  me  to  his  office.  He 
told  me  that  the  four  regional  sales  vice  presidents  wanted  to 
streamline  the  sales  process,  but  that  IT  had  saddled  them  with 
clunky,  hard-to-use  systems.  So  they  had  requested  money  to 
hire  consultants  to  build  the  new  systems  they  wanted.  “They 
are  not  getting  their  own  IT  budget,”  the  COO  told  me.  “Your  job 
is  to  figure  out  what  they  want.” 


3  2 


OCTOBER  15,  2005  |  www.cio.com 


ART  BY  DARRELL  EAGER 


When  you  don’t  know  what  people  want,  you  need  to  ask 
them.  So  I  decided  to  spend  time  in  the  field.  One  day  I  was  vis¬ 
iting  a  regional  headquarters,  talking  with  a  salesperson  about 
his  job.  He  was  telling  me  about  the  difficulties  he  was  having 
with  the  existing  computer  system.  I  noticed  the  sales  vice 
president  watching  me  from  his  corner  office. 

After  about  15  minutes  he  walked  up  to  the  cubicle  where 
we  were  sitting  and  said,  “Move  over,  Steve.  Let  Mike  take 
your  calls  and  see  for  himself  what  it’s  like.”  I  looked  up  at  him 
and  I  knew  he  could  see  the  fear  in  my  eyes.  He  said,  “Don’t 
worry  if  you  screw  up.  We  screw  up  too.”  Then  he  went  back 
to  his  office. 

It  was  clear  to  me  that  if  I  was  to  get  anywhere  with  this 
project,  I  had  to  take  his  dare.  I  sat  down  in  Steve’s  chair  and 
started  taking  calls.  The  afternoon’s  customers  were  prima¬ 
rily  building  contractors  who  needed  some  cable  or  electronic 
gear  in  a  hurry.  My  task  was  to  sell  them  what  I  had  at  the 
greatest  profit  and  at  the  same  time  be  helpful  and  make  them 
feel  as  if  they  had  received  a  good  deal. 

The  callers  were  busy,  and  they  talked  fast.  I  had  to  look  up 
the  products  they  wanted  and  see  if  I  had  them  in  stock.  If 
something  wasn’t  in  stock,  I  had  to  find  something  else  that 


would  fit  their  needs.  At  the  same  time,  I  was  also  supposed  to 
quote  a  price  based  on  the  prices  other  salespeople  had  recently 
gotten  for  the  same  items,  factoring  in  such  variables  as  how 
much  the  customer  wanted  to  buy  and  whether  he  would  pick 
up  his  purchase  himself. 

What  I  Learned  in  the  Trenches 

It  was  too  difficult  to  get  all  the  information  I  really  needed  to 
make  the  best  decisions.  Navigating  from  one  screen  to  the 
next  was  hopelessly  complex,  requiring  me  to  remember  cryp¬ 
tic  commands  and  to  know  which  function  keys  to  press— and 
in  which  order— to  find  what  I  was  looking  for.  Sometimes  I 
quoted  too  high  a  price  and  people  said  they’d  get  back  to  me 
later  (which  they  never  did).  Other  times  I  was  intimidated 
into  quoting  a  price  that  didn’t  have  much  profit  in  it  at  all. 

In  a  stroke  of  beginner’s  luck,  I  managed  to  make  the  company 
some  money  that  day,  but  more  important  for  my  purposes,  I 
understood  what  type  of  system  would  help  the  salespeople 
become  more  profitable.  I  realized  that  their  job  was  somewhat 
like  that  of  a  stockbroker.  Prices  were  always  fluctuating  based 
on  many  factors,  including  supply  and  demand.  The  salespeo- 

Continued  on  Page  40 


I've  been  printing,  copying,  scanning,  putting  in  tabs 
and  hole  punching  booklets  all  morning. 


That  new  Ricoh  high  volume  system's 
a  real  workhorse,  huh  Jerry? 


Ricoh  dependability  moves  your  ideas  forward. 


ricoh-usa.com 

©2005  Ricoh  Corporation. 


RICOH 


IT'S  ALL  ABOUT  THE  EXECUTION 


Michael  Schrage 


The  Key  to  Innovation: 
Overcoming  Resistance 

CIOs  should  be  investing  less  time  in  brainstorming  good  ideas  and  more 
time  in  targeting  the  sources  of  resistance  to  change 


By  far  the  most  common  question  I  get  from  CIOs  and 
their  direct  reports  is  some  heartfelt  permutation  of, 
“My  IT  group— our  company— needs  to  become 
much  more  innovative.  How  can  we  do  it?  How 
should  we  do  it?  Help.” 

Those  questions  are  invariably  followed  by  a  tragic  but  true 
innovation  tale:  The  well-meaning  Jedi  Knights  of  IT  are 
thwarted  by  organizational  Darth  Vaders  ruthlessly  intent  on 
crushing  digitally  enabled  change  enterprisewide. 

I  nod  sympathetically  and  brace  for  what’s  almost  always  said 
next:  “Michael,  I  really  need  to  come  up  with  better  ideas  faster.” 

Without  hesitation,  I  say  what  I  always  say  to  these  frus¬ 
trated  innovators:  “No,  you  really  don’t.  Honest.” 

Nothing  in  the  business  world  is  more  overrated  than  a  “good 
idea.”  Nothing.  I’ve  never  gone  into  an  organization  anywhere  in 
the  world  that  didn’t  have— with  a  little  prompting  and  encour¬ 
agement-more  good  ideas  than  it  could  possibly  use.  Indeed, 
most  firms  enjoy  a  surplus— a  glut— of  good  ideas.  As  a  rule,  a  glut 
of  something  makes  it  less  valuable,  not  more.  Economics  101. 

By  contrast,  I’ve  never  gone  into  an  organization  where  the 
process  of  implementing  good  ideas  was  fast,  cheap,  easy  and 
successful.  There  seems  to  be  a  terrible  scarcity— a  corporate 
famine— of  good  implementations. 

Simply  put,  good  ideas  are  cheap;  good  implementations 
aren’t.  Experience  teaches  that  aspiring  IT  innovators  don’t 
need  better  ideas  that  make  more  sense.  They  need  better  imple¬ 
mentations  that  make— or  save— more  money.  If  organizations 
can  boost  their  “return  on  innovation”  by  investing  more  in 
good  implementations  than  in  good  ideas,  then  that’s  where 
their  capital  should  go. 


34 


OCTOBER  15,  2005  |  www.cio.com 


ILLUSTRATION  BY  LUBA  LUKOVA 


THE  RESILIENT 
INFRASTRUCTURE: 
A  GUIDE  FOR 
THE  FEARLESS. 


VE  RITAS' 


For  today’s  enterprise,  the  only  constant  is  change.  And  keeping  up  with  change  is  the  ultimate 
challenge  for  a  business  faced  with  an  endless  series  of  paradoxes:  making  information  both 
secure  and  available;  being  reactive  and  proactive  simultaneously;  responding  quickly  to  both  now  from  Symantec 
new  threats  and  new  ideas.  The  solution?  A  resilient  infrastructure  that  lets  you  respond  as  rapidly  to 
opportunity  and  innovation  as  you  do  to  threats  and  disruptions;  and  where  the  elements  that  help  keep  your 
company  up,  running  and  growing  —  security,  storage  and  recovery  —  are  firmly  in  place.  This  is  the  ideal  that 
has  brought  together  Symantec  and  VERITAS  to  form  a  single  company  with  a  single  goal:  to  help  you  build  a 
fearless  enterprise.  For  more  information  visit  www.symantec.com/RI.  BE  FEARLESS. 


Symantec 


TM 


Michael  Schrage 


IT'S  ALL  ABOUT  THE  EXECUTION 


Despite  the  fervent  hopes  of  bright  people 
with  brilliant  ideas,  successful  innovation  can’t 
be  divorced  from  successful  implementation. 

The  best  insights  into  innovation  cultures 
don’t  come  from  the  quantity  and  quality  of 
its  ideas  but  in  the  nature  of  the  resistance  to 
their  successful  implementation. 

Grasping  the  essence  of  an  innovation 
culture  is  astonishingly  easy.  Simply  fill  in  the  blank.  Whenever 
a  good  idea  is  proposed,  you’ll  find  the  core  values  of  an  inno¬ 
vation  culture  in  the  words  that  follow  this  common  phrase: 
“We  can’t  do  that  because....” 

Whatever  reasons,  excuses  and  evasions  people  use  to  explain 
away  why  good  ideas  can’t  be  implemented  is  the  organiza¬ 
tion’s  innovation  culture.  Period.  We  can’t  do  that  because.. .it’s 
too  expensive,  the  boss  won’t  like  it,  the  lawyers  won’t  let  us,  it’s 
not  in  the  budget,  we  don’t  think  it  will  work,  the  vendor  will 
charge  us  too  much  for  changing  the  code,  marketing  will  take 
it  from  us  if  it  actually  succeeds,  the  woman  championing  it  is 
a  credit-hog,  IT  shouldn’t  be  leading  this  kind  of  initiative,  it  dis¬ 
tracts  us  from  our  main  mission  and  so  on. 

It’s  Human  Nature  to  Resist 

Sound  familiar?  Alas,  these  sources  of  resistance  are  the  real  “brand 
attributes”  of  an  organization’s  innovation  culture.  Listen  to  them, 
learn  them  and  respect  them.  They  are  how  organizations  truly 
define  innovation.  Never  fool  yourself  into  thinking  you’re  just  a 
good  idea  away  from  innovative  success.  Resistance,  not  ideas,  is  the 
most  powerful  lens  for  viewing  innovation  behavior. 

Doubt  that?  Most  people  in  the  Western  world  are  signifi¬ 
cantly  overweight;  maybe  you’re  one  of  them.  Fortunately,  there’s 
a  proven  algorithm— a  very  good  idea— for  successfully  allevi¬ 
ating  this  condition:  Eat  less,  exercise  more.  Alas,  only  a  tiny 
fraction  of  the  chunky  population  consistently  implements  this 
very  good  idea  on  a  daily  basis. 

But,  honestly,  just  how  good  of  an  idea  is  “eat  less,  exercise 
more”  if  so  few  people  actually  implement  it?  The  economic 
value  of  a  good  idea— if  it  is,  indeed,  a  good  idea— lies  more  in 
its  successful  implementation  than  its  clever  articulation. 

Just  as  actions  speak  louder  than  words,  implementations  are 
more  compelling  than  ideas.  The  infinite  varieties  of  how  people 
cheat  on  their  diets  and  exercise  regimes  is  a  microcosm  of  the 
organizational  frictions  that  innovations  can  generate.  After  all, 
liposuction  is  one  of  the  world’s  fastest-growing  surgical  proce¬ 
dures  for  a  reason.  For  a  growing  segment  of  the  marketplace,  it 
really  is  faster,  cheaper,  easier  and  more  successful  than  “eat  less, 
exercise  more.” 

Consequently,  the  innovation  challenge  is  the  challenge  of 
diagnosing  and  overcoming  organizational  resistance.  When 
you  hear,  We  can’t  do  that  because  it’s  too  expensive,  the  serious 


innovator’s  obligation  is  to  demonstrate  that, 
in  fact,  the  proposed  innovation  is  cheaper. 
Build  a  demo  or  simulation  that  makes  the 
case.  A  better  idea  isn’t  going  to  do  it. 

When  the  resistance  is  that  the  boss  won’t 
like  it,  the  serious  innovator’s  response  is  to 
determine  if  the  boss’s  boss  is  a  better  target 
market  for  the  innovation  proposal.  Perhaps 
some  other  constituency  can  make  the  boss  see  the  error  of  his 
ways.  (For  example,  one  Procter  &  Gamble  brand  manager 
sent  prototypes  to  his  boss’s  wife  for  her  advice  as  a  target  cus¬ 
tomer  and  turned  her  into  the  most  influential  internal  ally 
the  innovators  could  have  ever  hoped  to  have.) 

Understanding  the  innovation 
culture  of  your  organization 
is  critical  to  understanding 
which  good  ideas  will  take 
root  or  vanish  without  a  trace. 

Whether  resistance  is  overcome  by  an  act  of  persuasion, 
seduction,  manipulation,  intimidation  or  bribery,  the  fact  is 
that  it  has  to  be  overcome.  In  this  context,  the  models,  proto¬ 
types  and  simulations  that  IT  builds  are  less  mechanisms  to 
solve  problems  than  ways  in  which  to  surface  the  real  rea¬ 
sons  for  resistance.  Bitter  experience  affirms  that  individuals 
and  organizations  don’t  hesitate  to  offer  dishonest,  misleading 
or  ignorant  reasons  for  not  wanting  to  implement  an  idea. 

At  one  bank,  online  marketing  absolutely  refused  to  allow  a  sub¬ 
tle  yet  important  interface  change  to  be  tested  on  its  consumer  site. 
IT  convinced  the  firm  to  adopt  the  change  by  making  a  similar 
change  on  the  bank’s  human  resources  intranet  site  and  then 
quickly  debugging  the  problems  associated  with  the  modifica¬ 
tion.  Resistance  was  overcome  by  a  cost-effective  example. 

The  smartest  thing  innovation-sawy  CIOs  could  do  to  boost 
their  chances  of  success  is  to  invest  less  time  brainstorming  and 
more  thought  targeting  the  sources  of  resistance  to  innovation 
implementation.  Innovation  initiatives  should  have  explicit  flow¬ 
charts  and  tactics  explaining  how  internal  resistance  will  be  iden¬ 
tified  and  finessed.  Overcoming  resistance  should  be  the  driving 
dynamic  for  implementing  innovations  within  the  enterprise. 

Alas,  even  as  I  write  this  I  can  just  see  you  muttering  to 
yourself,  “We  can’t  do  that  because....”  HE 


Michael  Schrage  is  codirector  of  the  MIT  Media  « 
Lab’s  eMarkets  Initiative.  He  can  be  reached  at 
schrage@media.mit.edu.  Please  send  comments  to  ^ 
Executive  Editor  Alison  Bass  at  abass@cio.com.  Lit 


Innovation  Advice 


How  do  you  overcome  resistance 
to  new  ways  of  doing  things  at  your 
company?  Share  your  tips  in  the 
ADD  A  COMMENT  section  online 

at  www.cio. com/101505. 

cio.com 


3  6 


OCTOBER  15,  2  005  |  www.cio.com 


PHOTO  BY  JOHN  SOARES 


AT&T 

Can  your 

and 

network 

WHIRLPOOL 

perform 

CORPORATION 

in  harmony? 

INNOVATE  GLOBALLY.  When  Whirlpool  Corporation  wanted  to  foster 
innovation  worldwide,  they  turned  to  the  world’s  networking  company. 
Now,  with  a  global  IP  Virtual  Private  Network  from  AT&T,  Whirlpool 
designers  everywhere  can  access  proprietary  applications,  share 
information,  and  collaborate  in  real  time  —  all  on  a  single  secure, 
standardized  platform.  So  the  world’s  next  revolutionary  design  can  move 
from  concept  to  your  home  faster  than  ever.  CAN  YOUR  NETWORK  DO  THIS? 


0  ?  kO0 1010 

)  1  ( rh  1-t  • 


AT&T 

The  world's  networking  company® 


Whirlpool 


Whirlpool 


Whirlp 


Whirlpool 


Whirlpool 


Whirlpool 


To  find  out  how  AT&T’s  networking  solutions 
helped  Whirlpool  transform  its  business,  go  to: 

att.com/innovate 


mm 


FIELD-TESTED  IDEAS  FROM  CIOs  FOR  CIOs 


Howto  Groom  a  Successor 

How  one  CIO  started  a  job  in  a  foreign  land  knowing  that  until  he  found  or  groomed  a 
successor,  he  wouldn’t  be  coming  home 

BY  JOHN  W.  VON  STEIN 


Several  years  ago  I  was  a  vice  president  of  IT  for  the 
world’s  largest  privately  held  commodities  and  foods 
company.  At  that  time  I  was  responsible  for  the  agri¬ 
culture-oriented  business  units  globally.  The  overall 
CIO  at  the  time,  Lloyd,  called  to  say  that  our  Latin  American 
regional  CIO  had  suddenly  retired  and  that  the  regional  busi¬ 
ness  leaders  could  not  agree  on  an  internal  successor.  Lloyd 
wanted  me  to  take  over  as  interim  CIO  and  try  to  make  peace 
with  the  business  leaders  in  the  region.  He  also  tasked  me  to  hire 
a  regional  CIO  from  the  local  market. 

Lloyd  said  he  expected  it  to  take  about  three  months  to  hire 
the  new  manager  and  another  three  months  or  so  for  me  to 
properly  bring  the  new  hire  onboard.  Little  did  I  know  what  I 
was  really  in  for.  In  the  end,  my  “temporary”  assignment  took 
about  two  and  a  half  years.  And  during  my  stint,  I  learned 
many  lessons  about  how  to  get  warring  staff  to  settle  their  dif¬ 
ferences  and  work  together  and  how  to  groom  internal  leaders— 
all  while  settling  into  a  new  country  and  culture. 

The  Warring  Camps 

The  Latin  American  region  consists  of  about  25  business  units 
spread  across  16  countries.  At  the  time  the  business  units  employed 
about  17,000  people  and  generated  about  $8  billion  in  revenue.  At 
its  peak  there  were  about  600  IT  staff  in  the  region,  largely  con¬ 
centrated  in  Brazil,  Argentina,  Mexico  and  Venezuela.  The  Argen¬ 
tine  operation  was  one  of  the  first  and,  in  the  beginning,  was  the 
largest  base  of  business  for  the  company  in  Latin  America.  Over 
time,  due  mostly  to  the  vast  size  and  large  population,  Brazil  over¬ 
took  Argentina  in  both  the  number  of  business  units  and  the  total 
amount  of  business  generated  from  the  region.  In  spite  of  this, 


OCTOBER  15,  2005  |  www.cio.com 


ILLUSTRATION  BY  WALTER  VASCONCELOS 


much  of  the  company’s  internal  political  power  in  Latin  America 
either  resided  in  Argentina  or  with  Argentine  expatriates  work¬ 
ing  elsewhere  in  the  region.  There  was  tension  between  the  Argen¬ 
tine  and  Brazilian  seats  of  power,  which  was  like  gasoline  on  the 
fire  of  the  historical  rivalry  that  has  existed  between  these  two 
countries  for  centuries. 

At  my  first  meeting  in  October  2001  with  business  managers 
from  the  region  at  a  senior  officers’  meeting  in  Minneapolis, 
many  issues  surfaced,  including  the  lack  of  overall  cost-effec¬ 
tiveness  of  IT,  what  to  do  about  a  very  large-scale  ERP  imple¬ 
mentation  project  that  was  struggling  for  survival  and  the 
inability  of  local  business  leaders  to  agree  on  an  internal  succes¬ 
sor.  However,  they  did  agree  that  they  were  all  generally  unhappy 
with  the  fact  that  an  American  (me)  was  being  forced  upon  them 
in  this  situation.  I  tried  to  alleviate  the  tension  by  stating  that  I  was 
just  trying  to  help  and  was  indifferent  to  the  outcome— so  long 
as  we  achieved  our  goals.  This  helped  focus  everyone  on  the  task 
rather  than  competing  for  my  support  of  one  political  camp  or 
another.  By  the  end  of  the  meeting  we  all  agreed  to  work  together, 
and  the  tension  in  the  air  started  to  dissipate.  Phew! 

My  first  task  was  to  learn  about  the  countries,  cultures  and 
quality  of  the  people  in  our  Latin  American  operations.  I  began 


taking  intensive  Berlitz  classes  to  learn  Spanish.  And  I 
prompted  many  people  in  Latin  America  to  learn  English  so 
that  they  would  feel  more  connected  to  me  and  to  the  company 
overall.  Over  time  I  gained  trust,  respect  and  admiration  for  my 
Latin  American  colleagues,  and  earned  their  trust  as  well.  By 
February  2002  we  were  in  full  recruitment  mode  and  were 
starting  to  see  some  interesting  resumes. 

I  also  began  to  assess  the  internal  candidates,  two  of  whom 
proved  to  be  very  capable  indeed.  Jose  from  Brazil  and  Sergio  from 
Argentina  each  had  winning  traits  but  needed  to  hone  some 
skills  and  round  out  their  experience.  In  the  past,  the  regional  CIO 
had  been  named  from  outside  the  region’s  IT  group.  But  the  staff 
was  more  loyal  to  their  long-term,  locally  grown,  first-line  man¬ 
agers  than  to  “implanted”  regional  CIOs  like  me  or  my  prede¬ 
cessor.  My  head  told  me  to  follow  the  plan,  hire  someone  from  the 
outside  and  get  out  of  Latin  America  ASAP.  However,  my  gut  told 
me  to  stay  on  the  job  a  little  longer  and  groom  both  internal  can¬ 
didates  for  the  job.  So  I  recommended  that  we  suspend  the  exter¬ 
nal  search  for  a  year  and  that  I  stay  on  and  concentrate  on 
grooming  the  internal  candidates.  With  mixed  emotions  I 
thanked  everyone  for  their  continued  support  of  “The  Gringo”  as 

Continued  on  Page  40 


Ricoh  dependability  moves  your  ideas  forward. 


ricoh-usa.com 

©2005  Ricoh  Corporation. 


RICOH 


1 


Peer  to  Peer  FIELD-TESTED  IDEAS  FROM  CIOs  FOR  CIOs 


Continued  from  Page  39 

I  was  affectionately  becoming  known  in  the  region. 

As  it  turned  out,  I  needed  their  support  for  an  additional  two 
years.  That’s  how  long  it  took  to  groom  the  two  internal  candi¬ 
dates.  Jose  was  the  infrastructure  manager  in  the  region,  but  he 
was  mostly  known  only  in  his  native  Brazil.  He  had  strong  proj¬ 
ect  management  skills,  was  innovative,  and  was  fluent  in  Span¬ 
ish  and  English  in  addition  to  his  native  Portuguese.  However, 
he  did  not  have  much  experience  with  creating  a  long-term 
vision.  Sergio  was  a  well-known  IT  manager  for  the  largest 
business  unit  in  Argentina.  Sergio  could  easily  switch  between 
visionary,  long-term  thinking  and  short  term,  tactical  thinking, 
but  he  had  an  edge  that  needed  to  be  polished.  I  created  a  regional 
relationship  manager  role  (liaison  between  the  various  busi¬ 
ness  units  and  the  regional  IT  shared  service)  for  Jose,  and  pro¬ 
moted  Sergio  from  his  business-unit  IT  manager  role  into  the 
regional  infrastructure  manager  role.  This  allowed  each  per¬ 
son  to  get  the  most  professional  development  in  the  least  amount 
of  time.  Both  Jose  and  Sergio  started  executive  MBA  programs, 
and  we  had  many  one-on-one  mentoring  sessions.  The  regional 
business  leaders  and  I  decided  to  officially  end  the  external  can¬ 
didate  search  and  stay  the  course  with  Jose  and  Sergio. 

Another  year  or  so  passed,  and  in  February  2004  I  was 
recruited  for  the  executive  VP  and  CIO  role  at  The  Options  Clear¬ 
ing  Corp.  in  Chicago.  My  two  Latin  American  proteges  were  ready, 
so  the  timing  was  good  for  all. 


And  the  Winner  Is... 

Eventually,  I  recommended  that,  although  either  could  be  suc¬ 
cessful,  Jose  was  better  prepared  overall  and  had  a  better  chance 
at  long-term  success  as  the  regional  CIO.  This  recommendation 
was  based  on  Jose’s  ability  to  communicate  effectively  at  all 
levels,  from  IT  to  the  business  as  well  as  from  the  region  to 
headquarters.  By  now,  with  the  apparent  success  of  the  IT  turn¬ 
around  in  the  region,  the  animosity  and  intra-regional  rivalry 
had  substantially  subsided  and  essentially  was  a  nonfactor  in 
the  final  decision  making. 

It  has  been  about  two  years  since  Jose  was  named  the  regional 
CIO.  Jose,  his  wife  and  their  two  young  children  have  relocated 
to  Minneapolis  so  that  he  can  operate  out  of  the  company’s  U.S. 
headquarters.  He  is  doing  just  fine  in  his  role.  Sergio  has  a  great 
attitude  and  is  still  performing  very  well  in  his  role  as  the  regional 
infrastructure  manager.  In  keeping  with  the  faith,  they  both  are 
grooming  other  managers  in  the  region  for  future  growth.  Their 
leadership  and  management  strength  has  also  raised  the  visibility 
and  credibility  that  the  Latin  American  region 
has  within  the  company  overall.  QE1 


John  W.  Von  Stein  is  the  executive  vice  president  and 
CIO  of  The  Options  Clearing  Corp.,  an  equity  deriva¬ 
tives  clearing  company.  He  can  be  reached  via  e-mail 
at  jvonstein@theocc.com. 


Mike  HugOS  total  leadership 


Continued  from  Page  33 

pie  needed  different  information  at  different  times  to  get  a  good 
feel  for  the  best  price  to  offer  a  customer.  The  most  important  data 
had  to  be  displayed  on  just  a  handful  of  easy-to-access  screens. 
And  navigation  among  screens  had  to  be  fast  so  that  you  could 
retrieve  information  while  you  were  talking  on  the  phone. 

Call  Me  Mr.  Credible 

The  story  traveled  over  the  grapevine:  An  IT  guy  had  taken 
sales  calls.  An  IT  guy  might  actually  have  a  clue.  After  that,  the 
salespeople  knew  who  I  was.  They  opened  up  to  me.  They 
wanted  me  to  know  about  ideas  they  had  for  this  or  that  feature 
of  a  new  system.  I  fit  these  suggestions  into  the  overall  design 
for  a  new  sales  support  system. 

People  liked  the  designs  I  showed  them.  They  could  see  their 
own  ideas  reflected  in  them.  I  was  able  to  create  a  consensus  for 

changing  and  improving  the  sales 
process  among  a  broad  audience 
that  included  regional  vice  presi¬ 
dents,  branch  managers  and  indi¬ 
vidual  salespeople.  So  how  did  I, 
an  IT  guy,  get  buy-in  and  support 
from  a  group  of  end  users  who 


Add  a  Comment 


How  do  you  gain  credibility  among  end 
users?  Go  to  the  online  version  of  this 
column  at  www.cio. com/101505  and 
ADD  A  COMMENT. 

cio.com 


had  been  threatening  to  go  their  own  way?  I  got  them  to  trust  me. 

Here’s  the  take-away:  In  order  to  be  a  leader,  you  must 
first  be  seen  as  a  leader  in  the  eyes  of  those  you  would  lead. 
This  means  people  need  to  see  that  you  understand  them 
and  care  about  them.  They  need  to  believe  that  you  are  open 
to  their  ideas  and  that  you  will  do  what  it  takes  to  get  things 
done.  In  other  words,  you  need  to  have  credibility. 

If  you  are  currently  (or  soon  will  be)  in  the  role  of  change 
leader,  ask  yourself  this:  “Am  I  credible  in  the  eyes  of  the  peo¬ 
ple  I  will  lead?”  If  you  are  not— as  I  was  not— ask  yourself  how 
you  will  earn  that  credibility.  My  advice  is  to  spend  time  with 
the  people  you  want  to  lead,  listen  more  than  you  talk,  and 
when  they  test  you  to  see  what  you  are  made  of,  take  the  chal¬ 
lenge.  It  hardly  matters  what  happens.  People  just  want  to  see 
if  you  can  walk  a  mile  in  their  shoes  before  they  decide  to  fol¬ 
low  you.  ran 


Mike  Hugos  is  CIO  of  Network  Services,  a  distributor 
of  housekeeping  supplies,  janitorial  products,  pack¬ 
aging  and  paper  goods.  He  is  the  author  of  Building 
the  Real-Time  Enterprise:  An  Executive  Briefing. 
Send  comments  to  leadership@cio.com. 


4  0 


OCTOBER  15,  2005  |  www.cio.com 


S  THE  WORLD’S  HELP  DESK 


PROBLEM: 

Juried  in  spam. 

e-mail  sea^n't y  i*  a.  Spam, 

illicit-  g -mail  ,  vfi all  ov6r  tVi?  plat£. 

SOLUTION: 

X&M  gxPRgSS  E-mAiO-  SgORTfr  SgR^GgS 
clean  Mi*  ap  pronto.  Expensive. 
Manageable.  Modular.  3 0-day  trial  . 
"|k*  can't*  Wait*. 


CALL  866-309-1110 

or  go  to  ibm.com/businesscenter/security24 


SIZE  OF  BUSINESS 

SECURITY  FROM  $1.80  PER  E-MAIL  ADDRESS 
PER  MONTH.  NO  SET  UP  COSTS. 


©  2005  IBM  Corporation.  All  rights  reserved.  IBM,  the  IBM  logo,  and  Express  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  Other  company,  product  and  service  names  may  be  tract 
service  marks  of  others.  'Five  days’  prior  written  notice  to  IBM  is  required  in  order  to  cancel  the  Services  during  the  30-day  risk  free  period. 


Jim  Cash  FROM  THE  BOARDROOM 

Why  You  Should 
Experiment  with  Your 
Business 

How  to  use  business  experimentation  to  grow  your  company 

BY  JAMES  CASH  WITH  KERI  PEARLSON 


Innovation  is  the  basis  for  how  new  business  strategy  is 
developed  and  implemented.  Seeking  ways  to  be  more 
innovative  is  nothing  new— senior  managers  have  been 
seeking  this  Holy  Grail  for  years.  What  is  different  today 
is  the  increased  use  of  controlled  experimentation,  both  inside 
companies  and  with  external  partners.  Executives,  including 
CIOs,  are  beginning  to  understand  the  power  of  a  well-defined 
business  experimentation  process  as  a  way  to  increase  the  pace 
of  organizational  learning  and  thereby  accelerate  the  develop¬ 
ment  of  new  or  extended  products,  services  and  processes. 

Companies  such  as  Capital  One  have  been  able  to  invent 
entirely  new  business  models  using  experimentation.  Much  of 
Wal-Mart’s  success  over  the  past  30  years  can  be  traced  to  its 
well-honed  competency  at  business  experimentation.  And  Gen¬ 
eral  Electric  has  publicly  committed  to  8  percent  organic  growth 
(a  very  high  number  for  a  large,  mature  company,  translating 
into  $13  billion  in  new  revenue  per  year,  on  average),  which 
depends  on  an  experimental  approach  that  it  calls  “imagination 
breakthroughs.”  Learning  how  to  innovate  quickly  and  cost- 
effectively  in  the  areas  of  services,  processes  and  products  is  the 
core  concept  of  business  experimentation. 

As  CIO,  you  can  lay  the  groundwork  for  successful  business 
experimentation.  Experiments  rely  on  information  systems.  But 
your  responsibility  goes  beyond  lending  support;  experimen¬ 
tation  can  also  become  a  part  of  how  you  run  the  IT  department. 

How  Business  Experimentation  Works 

Business  experimentation  is  both  a  process  and  a  discipline,  and 
it’s  used  to  create  systematic  innovation  and  improvement, 
which  in  turn  support  organic  growth.  We  define  business 


42 


OCTOBER  15,  2005  |  www.cio.com 


ILLUSTRATION  BY  FEDERICO  JORDAN 


One 

Service 

Source 


For  multi'vendor,  cross 'platform  service  and  support,  Fujitsu  is  the  one . 


From  mainframes  to  servers,  notebooks, 
and  Tablet  PCs,  no  other  company  provides 
the  full  spectrum  of  services  to  support 
business-critical  computing  like  Fujitsu.  In 
addition  to  our  own  products,  we  support 
a  variety  of  platforms  such  as  Sun™,  IBM®, 
and  HP  plus  OS/390®,  UNIX®,  Windows® 
and  Linux  environments.  We  also  provide 
services  that  improve  the  operation 
of  your  existing  IT  investments  and 
drive  down  costs.  So,  if  it’s 
critically  important  to  a  CIO’s  IT 
infrastructure,  we  service  it. 


PRIMEPOWER®  Servers 


PRIMERGY®  Servers 


With  more  than  30  years  of  direct 
experience  collaborating  with  our  customers 
and  aligning  their  IT  and  business  objectives, 
we’ve  learned  what  it  takes  to  maintain  a 
wide  variety  of  complex,  mission-critical  IT 
environments — -and  deliver  a  higher  level  of 
service,  for  multi-vendor,  cross-platform 
environments.  We  provide  a  single  point  of 
contact  and  full  accountability  to 
reduce  the  complexity  and  cost  of 
support,  streamlining  operations  to 
offer  greater  business  value. 


To  learn  more  reasons  why  CIOs  entrust  their  IT  systems  to  Fujitsu,  visit 

us.fujitsu.com/computers/services  or  call  I  -800-83 1  -3 1 83. 


Fujfrsu 

THE  POSSIBILITIES  ARE  INFINITE 


00b  Fujitsu  Computer  Systems  Corporation.  All  r-gnts  reserved.  Fujitsu,  the  Fujitsu  logo.  PRJMEPOWF.K  PRJMEQULST  and  LifeBook  are  registered  trademarks  or  trademarks  of  Fuj-tsu  Limited  in  the  United  States  and  other  countries.  PRIMfRGY  .s  a  regtste 
Fujitsu  Siemens  Computers  GmbH  in  the  United  States  and  other  countries.  IBM  and  OS/390  are  registered  trademarks  of  IBM  Corporation  in  trie  United  States,  other  countries,  or  both.  Sun  is  a  trademark  of  Sun  Microsystems.  Inc  In  the*  US  and  ov  - 
UNIX  is  a  registered  trademark  ofThe  Open  Group  in  the  United  States  and  other  countries.  Windows  is  a  registered  trademark  of  Microsoft  Corporation  All  other  trademarks  mentioned  herein  are  the  property  o»'  the<r  reso ve  a  - 


Jim  Cash  from  the  boardroom 


experimentation  as  a  controlled,  cost-effective  and  iterative 
approach  to  learning  about  the  potential  success  or  failure  of 
a  new  product,  service  or  process. 

Much  of  Wal-Mart ’s  incredible  success  can  be  attributed  to  its 
willingness  to  experiment.  Initially,  the  small  town  of  Bentonville, 
Ark.,  Wal-Mart ’s  headquarters  since  1970,  provided  a  well-defined 
business  model  for  success  in  other  small  towns.  But  to  expand 
beyond  small  towns,  Wal-Mart  had  to  modify  its  strategy  in  ways 
that  would  allow  it  to  be  successful  in  Miami,  Houston,  Denver  and 
other  urban  settings. 

Make  business  experimentation 
a  part  of  IT  operations  strategy. 
Above  all,  make  clear  that 
IT  employees  need  to  focus  on 
organizational  learning. 

For  example,  as  part  of  its  low  pricing  strategy,  Wal-Mart 
wanted  to  ensure  that  shoplifting  was  kept  to  a  minimum.  Man¬ 
agers  built  a  series  of  experiments  around  the  use  of  greeters  in 
their  stores  to  learn  what  characteristics  reduced  shrinkage.  They 
found  that  elderly  greeters  who  personally  welcomed  customers 
kept  shrinkage  low.  Thieves  were  less  inclined  to  steal  from  some¬ 
one  who  looked  like  their  grandparents.  But  it  took  several  itera¬ 
tions  and  a  willingness  to  “fail”  with  some  of  the  experiments  to 
learn  exactly  what  type  of  person  would  make  a  good  greeter. 

More  recently,  Wal-Mart  has  been  experimenting  with  offer¬ 
ing  in-store  financial  services.  The  chain’s  approach  this  time  is 
to  build  alliances  with  successful  financial  services  companies 
such  as  SunTrust  Banks.  The  two  companies  have  launched  a  set 
of  45  in-store  bank  branches  called  “Wal-Mart  Money  Centers  by 
SunTrust”  to  test  the  new  strategy.  Business  experimentation 
has  become  a  core  competency  at  Wal-Mart  and  is  deeply  embed¬ 
ded  in  its  executives’  strategy  formulation  process. 

The  CIO’s  Essential  Role  in  Experimentation 

As  the  CIO,  you  play  a  key  role  in  making  business  experimen¬ 
tation  a  core  competency  in  your  company.  The  discipline  of 
experimentation,  the  collection  and  analysis  of  data,  the  pres¬ 
entation  of  that  analysis  to  the  business  in  a  way  that  encourages 
learning,  the  storage  of  and  access  to  past  experimentation  data 
in  a  way  that’s  useful  for  future  experiments,  and  the  systems 
that  present  an  experiment’s  results  for  optimal  learning— all 
these  are  tasks  performed  by  information  systems.  You  should 
review  your  IT  architecture  to  ensure  that  your  standards  and 
policies  enable  rapid  and  cost-effective  experiments. 

But  supporting  business  experimentation  is  only  part  of 
your  role.  CIOs  are  well-positioned  to  champion  experimen¬ 
tation  within  the  enterprise.  You  can  do  this  by  making  exper¬ 
imentation  a  part  of  IT  operations  strategy. 


Train  your  staff  in  the  process  and  discipline  of  business 
experimentation.  Develop  skills  in  your  staff  that  will  enable 
them  to  identify,  build,  run  and  analyze  experiments.  Orga¬ 
nize  for  rapid  experimentation  by  examining  and  redesigning 
routines,  organizational  boundaries  and  incentives.  Train  small 
groups  of  key  people  to  iterate  rapidly  and  learn  from  each 
iteration.  Above  all,  make  clear  that  IT  employees  need  to  focus 
on  organizational  learning. 

Experimental  Trials 

To  some  executives,  business  experimentation  may  feel  like 
they’re  giving  up  control  of  a  key  part  of  strategy  formulation. 
After  all,  if  they  let  any  part  of  the  enterprise  try  out  new  ideas 
at  any  time,  it  might  be  difficult  to  rein  it  back  in  when  the  time 
comes  to  formulate  a  single  business  strategy.  In  the  current 
business  climate,  however,  this  way  of  thinking  is  wrong. 
Organic  growth  has  become  an  important  criterion  for  market 
valuation,  and  the  rate  of  innovation  is  a  key  input  for  the  rate 
of  organic  growth  in  large  companies.  Innovation  from  any¬ 
where  in  the  company  is  a  good  thing. 

From  the  research  we  have  conducted  with  our  partners  at 
The  Concours  Group  consultancy,  we  have  found  that  the  great¬ 
est  benefit  from  business  experimentation  occurs  when  an 
organization  is  able  to  integrate  the  approach  into  its  everyday 
processes.  The  success  of  experimentation  depends  on  an  orga¬ 
nizational  culture  that  accepts  learning  as  a  goal. 

It’s  not  an  easy  feat  to  create  an  environment  that  walks  the 
line  between  so-called  failed  experiments— where  the  disci¬ 
pline  of  data  collection,  analysis  and  iteration  results  in  learn¬ 
ing  even  if  the  experiment  itself  doesn’t  produce  a  desired 
result— and  the  frivolous  waste  of  resources,  where  ideas  are 
tested  in  an  undisciplined  manner.  Using  an  experiment  as  a 
justification  for  a  one-off  project  doesn’t  create  a  culture  of 
experimentation.  That  kind  of  approach  to  experiments  signals 
that  managers  have  to  “get  it  right  the  first  time,”  and  that  fail¬ 
ure  is  not  acceptable. 

The  challenge  for  senior  managers,  then,  is  to  establish  an 
environment  in  which  experimentation  can  flourish,  while  at 
the  same  time  building  processes  and  controls  to  ensure  that 
resources  are  not  squandered.  This  is  certainly  a  complex  chal¬ 
lenge— which  is  why  we  believe  it  will  partially  distinguish 
between  business’s  winners  and  losers  in  the  future.  Business 
experimentation  might  be  the  only  process  that  is  designed  to 
continually  produce  the  organic  growth  and  operational  effi¬ 
ciency  your  company  needs  to  remain  competitive.  HE! 


James  Cash  is  the  emeritus  James  E.  Robison  Professor  of  Business 
Administration  at  Harvard  Business 
School.  Keri  E.  Pearlson  is  a  research 
director  with  The  Concours  Group  and 
coauthor  of  Managing  and  Using  Infor¬ 
mation  Systems. 


44 


OCTOBER  15,  2005  |  www.cio.com 


Flexibility 

Don't  think  of  the  regulatory  requirements  demanded 
by  compliance  as  just  being  restrictive.  Centralizing 
control  over  business  rules  enables  your  lines  of 
business  to  be  more  responsive  to  the  demands  of  a 
changing  market.  With  IT  management  software  from 
CA,  you  can  effectively  define,  execute,  manage  and 
optimize  business  process  and  performance,  increasing 
the  agility  of  your  systems.  Over  95  percent  of  the 
Global  1000  rely  on  CA  software.  Learn  how  linking 
business  processes  to  IT  resources  can  make  your 
enterprise  more  nimble  at  ca.com/compliance. 

Or  call  1-800-225-5224,  promo  code  1725. 


Simplify 

Automate 

Secure 


Computer  Associates® 


China  is  not  for  everyone,  because  of  the 
high  logistical  costs  of  getting  products  into, 
around  and  out  of  the  mainland.  Here’s  how 
to  figure  out  if  and  how  China  should  be  in 
your  company’s  future. 


BY 

CHRISTOPHER 

KOCH 

When  Arvinder  Surdhar  traveled  to  China  in  1990  to  form  a 
joint  venture  between  IBM  and  a  Chinese  manufacturing 
company  to  produce  PCs,  he  wound  up  manufacturing 
something  he  hadn’t  expected:  cardboard  boxes. 

“When  we  opened  up  those  first  shipments  from  China,  there  was  more  dust  in  the 
boxes  than  anything  else,”  recalls  Surdhar,  who  is  director  of  global  logistics  for  IBM’s  inte¬ 
grated  supply  chain  division.  Many  of  the  PCs  were  damaged  due  to  problems  endemic 
to  doing  business  in  China,  problems  that  still  plague  American  companies  15  years 
later:  bumpy,  dusty,  overcrowded  roads  (and  train  tracks);  a  fractured  logistics  network 
in  which  shipments  are  loaded  and  unloaded  at  the  whim  of  provincial  border  agents; 
overburdened  ports  where  products  languish  in  humid  containers  for  weeks  wait¬ 
ing  to  board  a  ship.  “We  had  to  come  up  with  special  shrink-wrap  and  unique, 
thicker  boxes  and  packing  materials  that  absorbed  shock  and  resisted  dust  and 
humidity,”  Surdhar  says. 

IBM’s  new  boxes  did  not  wipe  out  the  cost  advantages  of  making  PCs  in  a 
country  where  factory  workers,  truck  drivers  and  longshoremen  make  one- 
tenth  the  salary  of  their  counter¬ 
parts  in  the  United  States  and 
Europe.  But  they  could  have. 

According  to  research  by  con¬ 
sultancy  Booz  Allen  Hamil¬ 
ton,  the  logistical  costs  of 
getting  products  into, 
around  and  out  of  China 
may  end  up  outweigh- 


Reader  ROI 

::  How  to  do  the  kind  of  relationship- 
buildingthat  is  crucial  to  business  in 
China 

::  Which  products  should  be  made  in 
China  and  which  shouldn’t 

::  How  IT  can  make  your  supply  chain 
more  visible 


X 

O 

O 

o 


X 

►— 

< 


>- 

CO 


o 

X 


"~’X6  ve  i^Vto  r  y 

I 


w 


»  ■'*  «■««* 


,  n 


■  i 

i  # 

,» 


Cover  Story  Supply  Chain 


ing  the  cost  advantage  gained  by  going  there 
in  the  first  place;  if  the  labor  costs  of  manu¬ 
facturing  the  product  in  the  West  account 
for  25  percent  or  less  of  the  total  product  cost, 
it  may  be  to  companies’  advantage  to  keep 
manufacturing  in  the  West. 

Besides  logistical  complications,  other  fac¬ 
tors— such  as  inflexible  production  lines  and 
limited  ability  for  many  Chinese  factories  to 
handle  last-minute  design  changes— can 
also  make  the  risk  of  going  to  China  bigger 
than  the  potential  savings.  Broken,  dusty, 
improperly  specified  or  delayed  PCs  don’t 
sell,  no  matter  how  little  it  costs  to  produce 
them.  IBM’s  joint  venture  thrived  after  its 
initial  logistical  hiccups,  according  to  Surd- 
har,  and  the  joint  venture  eventually  began 
making  higher-end  servers  for  IBM.  (The  PC 
part  of  the  business  was  sold  to  Chinese 
giant  Lenovo  earlier  this  year.)  Other  com¬ 
panies  haven’t  fared  so  well  with  their  joint 
ventures.  Making  sure  that  products  built 
in  China  look,  function  and  arrive  as  prom¬ 
ised  remains  a  tremendous  challenge  today. 

The  CIO's  Burden 

The  slice  of  that  challenge  that  falls  to 
CIOs— monitoring,  managing,  automating 
and  feeding  the  Chinese  supply  chain  with 
information— is  the  most  daunting  of  all. 
Supply  chain  visibility  is  a  precious  com¬ 
modity  even  in  the  West.  In  China,  for  all 
but  the  most  advanced  products,  navigat¬ 
ing  the  supply  chain  can  be  a  matter  of  feel¬ 
ing  your  way  through  total  darkness.  IT, 
however,  is  not  the  automatic  answer  for 
lighting  up  the  supply  chain.  Labor  costs 
are  so  low  in  China  that  IT  automation  and 
monitoring  projects  may  add  more  to 
costs— in  terms  of  software,  hardware  and 
still-precious  (and  unreliable)  bandwidth— 
than  they  save  in  productivity.  (The  median 
wage  at  a  Chinese  manufacturing  plant  is 
1,000  yuan,  or  about  $120,  per  month, 
according  to  a  2005  survey  by  The  MPI 
Group.)  Hence,  some  low-tech  or  commod¬ 
ity  products  may  not  be  worth  monitoring  at 
all  until  they  hit  a  ship  in  a  Chinese  port. 

CIOs  who  have  succeeded  in  China  under¬ 
stand  the  country’s  dramatically  different 
cultural,  political  and  business  practices  and 
how  they  affect  the  design  and  management 


Owned  in  China 

Some  U.S.  companies  think 
owning  their  own  factories 
in  China  is  a  hedge  against 
rampant  intellectual  prop¬ 
erty  theft.  But  is  it? 

The  growing  tendency  among  U.S. 
companies  to  build  their  own  factories  in 
China  has  a  not-so-hidden  agenda,  say  some 
China  experts:  protecting  intellectual  prop¬ 
erty.  IP  theft  is  rampant  in  China.  Ninety  per¬ 
cent  of  software  sold  in  China  in  2004  was 
stolen,  according  to  the  Business  Software 
Alliance,  a  software  industry  trade  and 
lobbying  group.  Chinese  suppliers  need  to 
thoroughly  understand  the  products  of  their 
Western  clients  in  order  to  troubleshoot  prob¬ 
lems,  but  that  knowledge  sometimes  results 
in  knockoffs  appearing  in  the  local— or 
global— market. 

“Companies  going  to  China  should  start 
with  products  that  are  more  standard  and 
have  less  intellectual  property  in  them,”  says 
Mark  Stonich,  a  director  at  PRTM,  a  supply 
chain  consulting  company. 

“Captive”  factories  are  thought  to  provide 
a  measure  of  protection  against  IP  theft, 
because  they  can  more  safely  incorporate  the 
Western  company’s  design,  manufacturing 
and  security  processes.  But  some  China  vet¬ 
erans  such  as  Scott  Hicar,  CIO  of  hard-drive 
manufacturer  Maxtor,  are  skeptical  that  hav¬ 
ing  dedicated  factories  provides  much  extra 
protection  from  the  IP  problem.  “You  deal 
with  so  many  outside  suppliers  even  when  it’s 
your  own  factory,  that  they  could  get  informa¬ 
tion  if  they  wanted  it,"  he  says. 

Hicar  sees  the  main  advantages  of  direct 
ownership  as  having  complete  control  over 
manufacturing  processes  and  IT,  instead 
of  having  to  integrate  Maxtor's  processes 
and  systems  with  local  Chinese  companies 
or  cajoling  them  to  build  a  new  system 
from  scratch.  -C.K. 


of  supply  chains.  They  know,  for  example, 
that  the  Chinese  government  essentially 
becomes  a  third  party  in  any  dealings  with 
local  companies  and  can  intervene,  at  any 


time,  in  capricious  and  costly  ways.  They 
realize  that  Chinese  companies  consider  con¬ 
tracts  to  be  starting  points  for  developing  a 
business  relationship— and  may  not  honor 
them  to  the  letter.  They  understand  that  com¬ 
munism  is  merely  a  new  name  for  a  political 
and  economic  system  that  has  stressed  hier¬ 
archy  and  authority  over  independence  and 
jurisprudence  for  hundreds  of  years. 

Though  neophytes  assume  that  China  will 
become  “more  Western”  over  time,  CIOs  with 
experience  there  aren’t  holding  their  collec¬ 
tive  breath.  In  the  meantime,  these  executives 
have  developed  strategies  that  accommodate 
Chinese  differences  without  compromising 
the  goals  of  low  costs  and  high  quality.  They 
hire  Chinese  import/export  companies  to  act 
as  local  ambassadors  to  navigate  the  thickets 
of  government  bureaucracy,  cajole  local  sup¬ 
pliers  and  provide  information  links  to  their 
supply  chains.  They  build  their  own  facto¬ 
ries  in  China,  when  possible,  to  instill  the 
company’s  own  manufacturing  and  quality 
processes  and  provide  more  fertile  ground 
for  extending  the  company’s  enterprise  IT 
systems  into  China.  And  they  make  the  nec¬ 
essary  investments  in  relationship  building, 
or  guanxi,  that  provide  the  foundation  for 
doing  business  in  China.  (For  more  on  how  to 
negotiate  this  ethical  thicket,  read  “Bribes 
and  Payoffs— Oh,  My!”  on  Page  54.) 

CIOs  who  act  without  this  knowledge  risk 
erasing  the  very  cost  advantages  that  brought 
their  businesses  to  China  in  the  first  place. 
If  they  can’t  provide  cost-effective  systems 
that  give  insight  into  the  supply  chain,  “the 
complexity  and  unpredictability  of  China- 
sourced  products  become  overwhelming,” 
says  Beth  Enslow,  VP  of  enterprise  research 
for  Aberdeen  Group. 

Stepping  Back  in  Time 

When  the  last  chunk  of  Pacific  Cycle’s  bicycle 
manufacturing  finally  packed  up  and  went 
to  China  in  2000,  Ed  Matthews’  information 
supply  chain  went  dark.  Gone  were  the 
detailed  bills  of  materials  and  dedicated  EDI 
that  Matthews,  who  is  Pacific’s  director  of 
information  systems,  had  with  factories  in  the 
United  States  and  Mexico  that  enabled  Pacific 
to  ship  bikes  anywhere  in  North  America  in  a 
matter  of  days  and  change  production  lines 


48 


OCTOBER  15,  2005  |  www.cio.com 


MORE  BUSINESS 


wJk^A 


ID 


With  ProCurve  Networking  by  HP,  you  choose  from  a  comprehensive  set  of  security  solutions  — 
each  designed  to  help  protect  your  growing  company.  You  get  exclusive  products  like  ProCurve 
Secure  Router,  Virus  Throttle,  Identity  Driven  Management  and  Access  Controller  Module. 

And  unlike  most  other  providers,  ProCurve  ensures  critical  network  security  at  the  edge  where 
users  connect  as  well  as  at  the  vulnerable  core.  Edge-to-edge  security  means  less  downtime, 
more  uptime.  ProCurve  means  more  security,  more  affordably. 


Find  out  more  about  ProCurve  Networking.  Call  800-975-7684  Ref  Code  51  or 
download  informative  reports  complete  with  case  studies  and  cost-of-ownership 
analysis  at  www.hp.com/learn/procurvel. 


ProCurve  Networking 

HP  Innovation 


©2005  Hewlett-Packard  Development  Company,  L.P 


Advertising  Supplement 


Securing  the  network  at 
the  edge  keeps  business 
out  of  harm’s  way 

who  posed  the  “show- 
stopper”  question  at  a  recent  executive  committee  meeting: 
“With  all  the  resources  and  attention  businesses  are  expending 
on  security,  why  are  we  still  besieged  with  continuous  threats 
from  viruses,  worms,  and  hackers?" 

He  wasn’t  overstating  the  problem.  Today  an  estimated 
100,000  viruses,  worms,  and  Trojan  horses  pose  direct  threats 
to  network  computer  users.  The  cost  of  system  downtime 
stemming  from  attacks  can  often  be  measured  in  thousands 
of  dollars  per  minute,  and  the  theft  of  sensitive  data  carries 
tremendous  potential  liability.  So  it’s  no  wonder  security 
remains  a  top  priority  for  business  and  technology  managers 
alike. 

The  truth  is  that  current  methods  and  strategies  for  secur¬ 
ing  corporate  networks  often  fall  short.  Many  companies  use 
virus  signature  scanning  techniques,  but  these  technologies 
alone  are  not  sufficient  since  they  do  not  detect  new  forms  of 
viruses  and  they  depend  on  human  response.  Once  in  the  net¬ 
work,  a  virus  propagates  at  machine  speed,  which  is  orders  of 
magnitude  faster  than  the  “human-speed”  responses  to  them. 

WHAT  USERS  WANT 

Clearly,  businesses  need  a  complete  solution  that  truly  delivers 
security  without  compromise  to  protect  networks  and  the  mission- 
critical  data  that  runs  over  them.  A  checklist  of  the  features  of 
such  a  solution  should  include: 

/  Simplicity  for  administrators  and  transparency  for  users 
/  Ease  of  deployment  and  flexibility 
/  Security  built-in  and  integrated  with  the  hardware, 
not  bolted  on 

/  Security  at  the  critical  network  edge  where  users  connect 

This  is  exactly  what  users  get,  and  a  lot  more,  with 
Hewlett-Packard’s  ProCurve  Networking  solutions,  engineered  to 
move  vital  network  access  decisions  to  the  network  edge  while 
freeing  essential  network  resources  to  enable  the  high-band¬ 
width  connections  they  are  supposed  to  provide.  By  concentrat- 


If  was  file  (  IT) 


ProCurve  Networking 

HP  Innovation 


ing  security  at  the  edge,  HP  ProCurve  further  enables  support 
for  vital  network  convergence  and  burgeoning  mobile  strategies. 
The  result  is  a  solution  without  tradeoffs  between  ease  of  use 
and  performance  versus  capability.  ProCurve  Networking  offers 
security  without  compromise. 

A  key  and  unique  element  of  the  ProCurve  solution  is  virus¬ 
throttling  functionality  built  directly  into  ProCurve  switches.  This 
highly  effective  bulwark  against  viruses  provides  detection  at 
the  network  edge  based  on  traffic  behavior,  not  virus  signature 
analysis.  The  bandwidth  on  the  port  where  the  attack  is 
detected  can  be  throttled  back  or  the  port  traffic  can  be  com¬ 
pletely  contained.  This  functionality  gives  the  IT  staff  the  time 
it  needs  to  first  isolate  and  then  eliminate  viruses  and  worms 
before  they  cause  system-crashing  damage. 

THE  ULTIMATE  IN 
NETWORK  SECURITY 

Unlike  other  virus  detection  technologies,  the  virus-throttling  fea¬ 
ture  does  not  need  preknowledge  of  specific  worms  and  viruses  to 
do  its  job  because  virus  throttling  is  behavior-based.  ProCurve 
switches  with  virus  throttling  can  throttle  or  rate-limit  routed 
traffic,  or  completely  block  traffic  from  a  suspect  client. 

Not  all  virus  attacks  come  from  external  sources  outside  of 
a  network.  It  is  increasingly  important  to  protect  access  to  the 
internal  network  behind  the  firewall  to  prevent  virus  attacks 
and  threats  to  critical  systems.  Using  ProCurve  solutions,  users 
effectively  move  security  to  the  network  edge,  where  trouble 
can  be  resolved  before  any  damage  is  done  to  business-critical 
data.  ProCurve’s  value  proposition  delivers  intelligent  security 
with  ease  of  use,  without  sacrificing  performance. 

The  bottom  line  is  that  with  its  many  unique,  powerful,  and 
adaptable  features,  HP  ProCurve  Networking  delivers  on  the 
core  and  essential  value  propositions  of  high  network  availabili¬ 
ty,  efficiency,  security,  ease  of  use,  and  open-standards-based 
interoperability.  For  more  information,  go  to 
www.hp.com/learn/procurve. 


Itfs  OK  to  show  off  to  your  friends 

that  you  were  in  CIO. 


tCOTT  Bt*l 


CIO 


Why  the 
Decline  of 
the  Influence 
Industry  Is 
Good  News 
for  You 


CiO  Greg  Smith  cut  ms  research 
<©«KSir«  by  40%  Arid  tsfietur** 
‘MXts t  inbrmjhon  t)\an  *ver 
How  you  cun  loo  *  A 


But  it’s  even  better  to 
show  your  customers. 


What  better  way  to  inform  your  key  customers 
of  your  editorial  coverage  in  CIO  than  through 
customized  Editorial  Reprints? 


Leverage  the  positive  impact  of  your  editorial 
coverage  by  using  reprints  for  direct  mail 
campaigns,  seminar  promotions,  employee 
communications,  recruiting  and  marketing  pro¬ 
grams.  Let  us  enhance  your  reprints  with  your  company’s  logo, 
address,  and  sales  message.  Reprints  make  great  SALES  tools  for 
trade  shows,  mailings  or  media  kits. 


And  while  a  framed  copy  of  your 
article  will  look  neat  on  your  wall,  it 
will  look  even  better  in  the  hands  of 
your  customers. 


The  Resource 
for  Information 
Executives 


p  Ars 


■  Ancillary  ||  |g&gg| 

it <  n  u  c  h  pliiipipi 

Services  ■  mHHHl 

1  INTERNATIONAL  CORP.  | 

(managed  reprint  programs} 


For  more  information  on  customized  editorial  reprints  in  volume  quantities, 
contact  Jesse  Levy  at  212.221.9595  xl23  or  email  jesse@parsintl.com. 
Website:  www.magreprints.com/quickquote.asp 


Cover  Story  Supply  Chain 


Ed  Matthews,  director  of  information 
systems  for  Pacific  Cycle,  compensates 
for  the  lack  of  visibility  into  his  Chinese 


supply  chain  by  lengthening  the  lead 


time  for  the  production  of  bicycles  in 
Chinese  factories. 


for  a  new  model  in  as  little  as  two  weeks. 

They  were  replaced  by  paper  and  pen,  or 
at  best,  e-mails  (when  they  went  through) 
and  simple  spreadsheets.  Matthews’  step 
back  in  time  is  not  unusual:  63  percent  of 
companies  surveyed  by  Aberdeen  Group 
manage  their  global  trade  processes  using 

50  OCTOBER  15,  2005  |  www.cio.com 


paper  and  spreadsheets.  Production  sched¬ 
ules  for  Pacific’s  Chinese  factories  are  in 
spreadsheets  that  are  manually  adjusted  to  fit 
Pacific’s  specifications  and  purchase  orders 
and  then  manually  entered  into  Matthews’ 
U.S.-based  SAP  ERP  system. 

“There  is  a  lot  of  manual  work  at  both  ends 


of  the  supply  chain  now  because  the  Chinese 
factories  aren’t  sophisticated  enough  to  have 
the  systems,”  Matthews  says.  Consequently, 
he  can’t  track  bikes  in  anything  approaching 
real-time  until  they  hit  the  ports  on  China’s 
eastern  rim. 

Matthews  and  other  CIOs  working  with 


♦ 


microsystems 


Given  how  hot  and  slow  our  competitor's  servers  are,  it's  no  surprise  their  name 

RHYMES  WITH  HELL 

THE  NEW  INDUSTRY  STANDARD  x64  SERVERS  FROM  SUN. 


Check  out  our  cool  new  industry  standard 
x64  servers  powered  by  AMD  Opteron” 
processors.  They  run  Solaris'"  (our  favorite) 
Windows  and  Linux.  Visit  sun.com/better. 


AMD 


soiaris 


; 

Sun  Fire”  X4100 

/  >r.-. v  ■  .  ■ 

Dell  PE6850 

SPECfp_rate2000:  79.1 

SPECf()_rate2000:  52.5 

1U 

4U 

550  watts 

1470  watts 

i  Solaris,  Linux,  Windows 

Linux,  Windows 

$2,195* 

$4,899* 

■  Shu  Mm  msy.i •  I ix  .  All  uijlil  wscmd.  AMI),  the  AMI)  Allow  lo'p'..  AMI)  Optemn, 

■ 

- 

Dili  i'nvvi -f  l  ox',-*  M>  bdrlX.'on  .  if/.  <  Ml-  !  \  H  MM  I  J(j  Ut.  M‘,  WniJ.  • 
I’-.r.r  ( •  iuii,  iiii)i(  l  l‘l i,  ISJUI »  w.u j  inly.  I  RAM,  no  OS.  I’m  »■'.  «i\  It  -Met  I.  Sut 


<  iiMif-m.il  /  on*,  I  ,u  (•■  t:.i  Ji‘01,1!  L1,  ol  A-.lv.ux  ml  Mu  to  I  «*s.  I  in  . 

uii.nl  hiMif.  sl*K  1 1 i ul  Jin-  Iwik  Inn -nr  (uni io  SIH U|>  .nr  u*vj i-.t ou* J  i m« l<  -n Kir k'.  <1  the  Stand. m!  Pur  Junnaru  <*  (valuation  Corporation^ Coftipt? 
ill  -.,  visit  1iU|»://www/.|i»'<  .okj/.  Mu-  Soil  I  u r  XdJun  m’ivci  (/x  AMI)  Opieron  piocessur  Model  lOGB,  Solaris  10):  SPElfp  k« io/O&o  • 

.  I  'I  i  I  j »  inio  '  i:  •  ili-  v.'-i.  .filim-dtid  lu  Sl*l  C  it  .Jsj 


■0 

fr  it. 


(.ii  ill',!,  !»J  (:li  ODkl  401).  ‘ 


>  4.S  Dell  I't . . -t‘,0  (4*  j  j  (  OH/.  ll»  OBdisK,  H.  GB  (ilsj!  .iinWtr!,  lVin<w4w? 


Cover  Story  Supply  Chain 


Determining  who  gets  the  last  freight 
slot  on  a  crowded  ship  in  a  Chinese  port 
depends  not  on  who  gets  there  first,  but  on 

who  you  know  and  how  well-connected 
they  are  with  port  authorities. 


g,  s'  Chinese  companies  com- 

^ MsvJfe®  pensate  with  lead  time.  The 
less  visibility  you  have  in 
the  supply  chain,  the  more  time  you  need  to 
get  things  right.  Lead  time  for  Pacific’s  bikes 
is  now  as  long  as  270  days,  from  a  maximum 
of  60  in  the  old  days,  Matthews  estimates.  It’s 
the  same  thing  for  many  companies  going  to 
China:  42  percent  of  companies  surveyed  by 
Aberdeen  had  lead  times  of  60  days  or  more. 

Longer  lead  times  also  mean  much  higher 
logistics  costs— especially  as  Pacific  does 
business  with  factories  farther  inland.  (The 
farther  in  you  go,  the  lower  the  costs  are, 
because  inexpensive  labor  is  in  much  greater 
supply  in  China’s  vast,  impoverished  west¬ 
ern  interior  than  in  its  coastal  areas.)  Prod¬ 
ucts  face  a  long  trek  across  China  (40  percent 
of  those  surveyed  by  Aberdeen  said  their 
products  languish  for  30  days  or  more  inside 
China)  and  the  oceans  (20  to  30  days)  before 
reaching  the  United  States.  Aberdeen  found 
that  63  percent  of  companies  with  the  longest 
lead  times  were  spending  more  than  6  per¬ 
cent  of  revenue  on  logistics  (for  high-tech 
companies  it  was  as  much  as  9  percent)  while 
logistics  costs  in  many  U.S.-based  companies 
were  as  low  as  3  percent. 

Longer  lead  times  result  in  higher  risks  for 
any  supply  chain.  Inventories  will  need  to  be 
higher  to  accommodate  unforeseen  demand, 
damage  to  shipments  and  variations  in  qual¬ 
ity.  When  working  at  arm’s  length  with  many 
suppliers  that  change  frequently,  as  Pacific’s 
factories  do,  constructing  deep  IT  connections 
doesn’t  make  much  sense,  according  to 
Matthews.  “I  once  asked  if  a  factory  could 
accept  EDI,”  he  recalls.  “A  message  came  back 
asking,  What  is  EDI?”’ 

Despite  the  problems,  the  arrangement 
makes  sense  for  Pacific  Cycle.  Low-end  bicy¬ 


cles  are  fairly  bulletproof  commodity  prod¬ 
ucts  that  don’t  change  much  year-to-year.  So 
Pacific  can  afford  to  absorb  the  long  lead 
times  and  switch  factories  often.  The  labor 
savings  Pacific  reaps  from  manufacturing 
in  China  blow  away  the  losses  in  supply 
chain  flexibility,  Matthews  says. 

Your  Ambassador 
to  China 

Matthews  does  what  he  can  to  shorten 
the  lead  times  by  working  closely  with 
importer/exporters  in  China.  He  has  con¬ 
structed  EDI  connections  with  Pacific’s  rep¬ 
resentatives  in  China  for  purchase  orders 
and  advanced  shipping  notices,  among  other 
notifications.  The  importer/exporter  tracks 
the  bikes  all  the  way  through  the  Port  of 
Long  Beach/Los  Angeles  and  on  to  Pacific’s 
U.S.  distribution  centers. 

Importer/exporters  and  third-party  logis¬ 
tics  providers  have  emerged  as  the  linchpins 
of  China’s  supply  chain.  They  are  like  local 
ambassadors  for  foreign  companies.  They 
cajole  factories  to  perform,  cut  red  tape  with 
the  government,  and  push  products  through 
customs  and  onto  boats  and  airplanes. 

The  importance  of  the  importer/exporters 
can  be  tied  to  the  role  that  relationship— or 
guanxi— plays  in  Chinese  business.  Famil¬ 
iarity  is  critically  important  in  China.  Veter¬ 
ans  of  China  all  report  the  importance  of 
direct,  face-to-face  dealings  to  building  and 
cementing  business  relationships.  There  are 
the  bizarre  examples— IBM’s  Surdhar  recalls 
drinking  a  mixture  of  snake  blood  and  wine 
to  demonstrate  his  commitment  to  a  Chinese 
supplier.  And  there  are  the  mundane— meet¬ 
ing  suppliers  at  the  airport  in  the  United 
States  and  never  discussing  business  during 


the  first  meeting.  Both  are  designed  to  create 
trust.  ‘‘Dealing  with  anyone  there  you  have  to 
be  patient,”  says  Surdhar.  “That  is  one  of 
biggest  issues  foreigners  face.” 

The  importer/exporter  is  an  important 
link  between  Western  expectations  and  Chi¬ 
nese  realities.  They  understand  better  than 
any  foreigner  the  system  of  favors— some 
legal,  some  not— that  have  helped  the  Chi¬ 
nese  navigate  the  complexities  of  their  hier¬ 
archical  and  arbitrary  political  systems  for 
hundreds  of  years. 

In  the  United  States,  laws  and  ethical  rules 
that  govern  business  behavior  are  relatively 
clear  and  uniformly  accepted.  Not  so  in  Asia. 
“China  is  a  much  more  hierarchical  society 
than  here  in  the  US.,”  says  Tom  Stipanowich, 
president  and  CEO  of  the  International  Insti¬ 
tute  for  Conflict  Prevention  and  Resolution. 
“People  respect  authority  and  place  much 
more  emphasis  on  people’s  relative  posi¬ 
tions— superior  and  inferior— than  we  do.” 
For  thousands  of  years,  Chinese  business¬ 
men  have  brought  their  disputes  to  a  recog¬ 
nized  authority  figure,  such  as  a  village  elder, 
for  resolution,  says  Stipanowich.  That  tradi¬ 
tion  survives,  but  the  number  of  authority 
figures  has  increased,  as  has  the  overlap  in 
their  roles:  city,  regional  and  national  offi¬ 
cials  may  each  have  different  interpretations 
of  a  law  written  by  one  of  China’s  national 
ministries,  for  example. 

“The  Chinese  system  is  arbitrary  and  can 
easily  change,”  says  Oded  Shenkar,  professor 
of  management  and  human  resources  at  the 
Fisher  College  of  Business  at  Ohio  State  Uni¬ 
versity  and  author  of  The  Chinese  Century. 
“Anything  you  want  to  get  done  depends  on  a 
network  of  people,  not  a  single  individual.” 

Determining  who  gets  the  last  freight  slot 
on  a  crowded  ship  in  a  Chinese  port,  for 
example,  is  “very  much  open  to  interpreta¬ 
tion,”  Shenkar  says.  Priority  won’t  be  deter¬ 
mined  by  who  got  there  first,  or  who  needs  it 
the  most,  or  even  who’s  willing  to  pay  the 
most,  but  by  the  relationships  that  have 
accumulated  over  the  years  with  the  ship¬ 
ping  company,  customs  agents  and  govern¬ 
ment  officials,  he  says.  Approval  at  one  level 
does  not  guarantee  that  the  next  level  up  will 
not  reconsider  the  situation. 

In  this  environment,  it  shouldn’t  be  sur¬ 
prising  that  contracts  do  not  carry  the  same 


52 


OCTOBER  15,  2005  |  www.cio.com 


mssm 


©2005  Akamai  Technologies,  Inc.  All  Rights  Reserved.  Akamai  and  the  Akamai  logo  are  registered  trademarks. 


Enterprise  Applications  Soar 
for  Cathay  Pacific  Airways. 


:  V.  £iC: 


?  ■  V  f  *<m 


4  ■  »  / 

jf,- 

fflmm  M 


Without  Akamai,  'there  is  no  way 
that  a  100%  increase  in  online  .  V 

bookings  would  have  occurred.  V 

■"*-*  J '*''***&  *•  y^''  ^  t  m  >%• 

/-■*  S’"  r.*!;-  , 


Cathay  Pacific  — Scott  Ohman,  Manager, 

E-Business  Commercial,  Cathay  Pacific  Airways 


Cathay  Pacific  trusts  Akamai  to  deliver  more  online  bookings. 

Akamai  delivers  more  than  content.  We  deliver  improved  performance  of  Cathay  Pacific's  dynamic 
online  applications,  allowing  passengers  and  agents  to  book  travel  and  check-in  for  reservations 
online  with  ease.  We  deliver  hundreds  of  thousands  of  dollars  in  infrastructure  cost-savings,  enabling 
Cathay  Pacific  to  handle  increased  application  usage  without  investing  in  hardware.  Akamai  delivers 
customer  loyalty,  the  ability  to  handle  traffic  spikes,  and  the  flexibility  for  future  growth. 

To  learn  more  visit  www.akamai.com/WebApplications 
to  see  a  Webcast:  Accelerating  Dynamic  Web  Applications 
Featuring  Forrester  Research  Analyst  Thomas  Mendel 

FORRESTER  The  Trusted  Choice 

for  Online  Business 


Cover  Story  Supply  Chain 


weight  as  they  do  in  the  West.  “To  the  Chi¬ 
nese,  the  contract  is  the  starting  point  to  a 
relationship  that  will  evolve,”  Stipanowich 
says.  “If  you’re  in  a  relationship  with  them, 
it  behooves  you  to  appreciate  that  there 
will  be  some  need  for  accommodation  on 
the  original  terms  of  the  contract.”  If  sup¬ 
pliers  try  to  take  you  to  the  cleaners,  it  may 
be  time  to  end  the  relationship,  not  rewrite 
the  contract. 

The  Supply  Chain 
Headache 

Guanxi,  however,  is  just  the  beginning  of  a 
strategy  for  conquering  China’s  mysteries. 
Just  ask  Watts  Water  Technologies,  a  global 
manufacturer  of  water  valves  and  moni¬ 
toring  equipment.  Watts  Water  has  a  global 
supply  chain  that  includes  12  manufactur¬ 
ing  plants  in  the  United  States  and  now 
three  in  China.  Watts  Water  first  entered 
China  in  1995,  when  the  only  type  of  for¬ 
eign  investment  allowed  by  the  Chinese 
government  was  joint  ventures  with  local 
companies.  But  that  model  caused  prob¬ 
lems.  “The  joint  ventures  are  difficult 
because  you  essentially  have  two  parallel 
management  structures— yours  and  the 
local  company’s— and  the  two  are  often  in 
competition,”  says  Anton  Ter  Meulen,  VP  of 
information  and  strategic  planning  at  Watts 
Water.  “It’s  hard  to  know  who’s  in  charge.” 

In  addition,  Chinese  manufacturers  are 
not  comfortable  with  the  concept  of  the 
extended  supply  chain— where  suppliers 
are  partners,  and  parts  are  built  and 
ordered  in  advance.  The  Chinese  business 
culture  is  almost  entirely  cash-based;  credit 
and  advanced  purchasing  are  not  popular 
concepts  in  a  country  where  legal  remedies 
are  limited,  Ter  Meulen  says.  “Factories 
won’t  do  anything  without  a  firm  purchase 
order  in  hand,”  he  adds. 

To  bring  the  Chinese  factories  up  to 
speed  on  its  business  processes  and  IT, 
Watts  Water  bought  out  its  local  Chinese 
partners  three  years  ago  (when  the  Chinese 
government  relaxed  the  joint  venture 
requirement)  and  made  the  factories  exten¬ 
sions  of  the  U.S.  plants.  More  and  more 
companies  are  choosing  that  option.  Direct 
ownership  has  become  nearly  four  times 


-  fP 


Bribes  and 
Payoffs— Oh,  My! 

When  you  do  business  in  China, 
it  pays  to  remember  that  you’re 
not  in  Kansas  anymore 

Repression,  censorship  and  corruption  are 
facts  of  life  in  China;  for  Americans  doing  business 
there,  this  can  come  as  something  of  a  shock. 

Chinese  officials,  for  instance,  may  expect 
money— or,  at  the  very  least,  noncash  favors— 
to  make  things  happen.  Yet  U.S.  citizens  can  be 
severely  penalized  for  offering  bribes.  The  Foreign 
Corrupt  Practices  Act  (FCPA)  calls  for  corporate 
fines  of  up  to  $2  million  and  up  to  five  years  in 
jail  for  individuals  who  make  a  corrupt  payment 
directly  or  through  a  third  party  to  a  foreign 
official  to  get  or  keep  business.  And  the  feds 
are  getting  tougher.  According  to  Shearman  & 
Sterling,  an  international  law  firm,  in  2002  there 
were  seven  reported  investigations  for  potential 
FCPA  violations  by  the  Department  of  Justice 
or  the  Securities  and  Exchange  Commission. 

In  2004,  there  were  18  new  investigations. 

While  the  U.S.  law  is  tougher  than  those  in  other 
industrialized  countries,  Oded  Shenkar,  professor 
of  management  and  human  resources  at  Ohio 
State’s  Fisher  College  of  Business,  says  it  contains 
a  loophole  big  enough  to  drive  a  truck  through. 
According  to  the  Department  of  Justice,  bribes  are, 
in  fact,  legal  in  order  to  facilitate  or  expedite  per¬ 
formance  of  a  “routine  governmental  action,"  such 
as  obtaining  permits  and  licenses,  moving  goods 
through  customs,  arranging  for  police  protection, 
ensuring  the  pickup  and  delivery  of  mail,  getting 
your  phones  hooked  up,  electricity  turned  on  and 
water  supplied,  and  loading  and  unloading  cargo. 

Even  so,  U.S.  prosecutors  seem  to  be  more 
willing  to  go  after  miscreants.  “I  don’t  see 
European  countries  prosecuting  people  under 
their  new  [antibribery]  laws,”  Shenkar  says. 

“If  everybody  else  is  paying,  but  you  aren’t, 
what’s  the  probability  you’ll  get  the  bid?” 

All  of  which  leaves  American  executives  in  a 
bit  of  fix.  Shenkar  advises  CIOs  doing  business 
in  China  to  read  up  on  the  laws  in  the  United 
States  and  abroad  pertainingto  bribery  and 
work  hard  at  buildingtrusting  relationships 
with  local  Chinese  companies.  -C.K. 


as  popular  as  joint  ventures,  according  to 
the  State  Statistical  Bureau  of  the  People’s 
Republic  of  China. 

Buying  factories  in  China  made  it  much 
easier  for  Ter  Meulen  to  link  his  company’s 
U.S.  and  Chinese  supply  chains.  He  in¬ 
stalled  Watts  Water’s  QAD  ERP  system  in 
the  Chinese  factories  (in  a  special  Chinese 
language  version  that  incorporates  the  eso¬ 
teric  reporting  requirements  of  the  central 
government)  and  linked  them  together  on  a 
single  global  Progress  Software  database. 
“Using  our  software  makes  it  a  lot  easier  to 
integrate  the  Chinese  factories  into  our 
demand  stream  back  here,”  he  says. 

At  the  same  time,  Ter  Meulen  also  used 
his  five  importer/exporters  to  increase  sup¬ 
ply  chain  flexibility  with  the  companies 
supplying  his  factories  with  raw  materials 
and  parts.  Watts  Water  convinced  them— 
by  paying  an  extra  couple  of  percentage 
points  per  transaction— to  act  as  consolida¬ 
tion  points  for  inventory  from  the  Chinese 
suppliers  they  dealt  with,  who,  without  the 
direct  relationship  to  Watts  Water,  were 
completely  uninterested  in  looking  beyond 
the  purchase  orders  they  received  and  sent. 

The  extra  margin  helped  create  a  buffer  so 
that  Watts  Water  could  more  quickly  recover 
from  unexpected  demand  for  its  Chinese- 
made  products  and  components.  But  it  still 
didn’t  give  Watts  Water’s  own  Chinese  fac¬ 
tories  and  the  importer/exporters  what  they 
really  needed:  the  confidence  to  buy  and 
build  things  in  advance.  So  Ter  Meulen  built 
a  custom  demand-planning  system  designed 
to  give  the  Chinese  six  months  of  reliable 
demand  information  in  advance.  With  that 
data  in  hand,  the  Chinese  factories  are 
expected  to  finish  the  product  in  42  days. 

The  first  thing  Ter  Meulen  discovered 
when  he  started  building  the  demand  sys¬ 
tem  was  how  little  Watts  Water  really 
knew  about  its  own  demand.  “We  probably 
didn’t  have  good  forecasts  historically— 
and  we  didn’t  need  them,”  he  says.  “We 
could  forecast  four  weeks  out,  and  that  was 
fine.  Suppliers  were  nearby  and  kept  raw 
materials  on  hand;  we  were  pretty  verti¬ 
cally  integrated.  But  as  you  extend  the  sup¬ 
ply  chain,  you  have  to  come  up  with  greater 
forecast  accuracy.”  The  demand-planning 
system  aggregates  demand  in  the  United 


54 


OCTOBER  15,  2005  |  www.cio.com 


Solutions  for  the  adaptive  enterprise. 


Reduced  processes.  Reduced  complex'll/-  ^ 

„  odd  efficiency,  flexibility,  and  control  yfl*  W* 


I 


See  how  HP  Services  and  HP  Consolidation  Solutions  can  help  you  by  downloading 
IT  Consolidation  on  the  HP  BladeSystem  at  hp.com/info/blades 

2005  Hewlett-Packard  Development  Company,  L.P  Intel,  Intel  Inside,  the  Intel  Inside  logo,  and  Intel  Xeon  are  trademarks  or  registered 
trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries. 


HP  ProLiant  BL30p  server  blades 


Cover  Story  Supply  Chain 


For  manufacturers  who  work  with  Chinese 
suppliers  of  parts  for  expensive  high-tech 
products,  the  benefit  01  automated  IT 
systems  to  track  those  parts  through  the 
supply  chain  outweighs  the  cost. 


(ff  fr-t  States  and  runs  it  through 
^  Jnr  rr  seven  algorithms  to  get 
accurate  readings.  The 
forecasts  are  shipped  to  the  Chinese  facto¬ 
ries  and  importer/exporters  each  week  so 
that  everyone  can  make  any  necessary 
adjustments  to  their  plans. 

To  increase  Watts  Water’s  supply  chain 
flexibility  further,  the  company  is  building 
two  distribution  centers  in  China:  one  in  the 
north  and  the  other  in  the  south.  These  centers 
will  provide  mega  consolidation  points  for  the 
importer/exporters.  In  particular,  the  distri¬ 
bution  centers  will  make  shipping  more  flex¬ 
ible  than  it  would  be  from  the  factories  or  from 
the  importer/exporters.  “Shipping  directly 
from  a  vendor  is  not  as  much  of  a  benefit  since 
that  vendor  typically  is  dealing  with  a  smaller 
diversity  of  items  and  usually  on  a  less  fre¬ 
quent  basis,”  Ter  Meulen  says. 

Ter  Meulen  estimates  that  all  these  strate¬ 
gies  will  bring  Watts  Water’s  Chinese  lead 
times  down  from  120  days  to  as  little  as  30, 
while  dramatically  increasing  the  company’s 
ability  to  recover  from  unexpected  changes 
in  demand.  Safety  stock  inventory  in  the 
United  States  will  be  down,  and  there  will  be 
less  need  to  create  redundant  manufacturing 
capacity  in  the  United  States  to  cover  for 
problems  in  China. 

The  Shipping  News 

Lead  times  can  be  whittled  down  only  so  far, 
however.  Oceans,  for  example,  are  an  incon¬ 
trovertible  barrier  to  getting  China  supply 
chain  turnaround  times  much  below  30 
days.  IT  hardware  companies  such  as  IBM 
and  Hewlett-Packard  have  a  special  chal¬ 
lenge.  Their  product  lifecycles  are  notori¬ 
ously  short,  and  many  of  their  products, 


such  as  servers  and  PCs,  are  heavy  and 
bulky,  meaning  they  cannot  leapfrog  China’s 
logistical  delays  by  jumping  onto  airplanes. 
It  would  be  too  easy  to  destroy  those  savings 
by  putting  heavy  PCs  and  servers  onto 
planes.  Big  hardware  vendors  are,  thus, 
restricted  to  ships,  which  cannot  get  to  the 
United  States  in  less  than  20  days,  according 
to  Aberdeen  Group,  and  40  percent  of  sur¬ 
vey  respondents  say  they  need  30  days  to 
get  goods  to  the  United  States. 

IBM  and  HP  have  responded  by  breaking 
up  the  Chinese  supply  chain  into  discrete 
chunks.  For  big,  complex  machines  that  have 
short  lifecycles  or  allow  customers  to  specify 
their  own  configurations,  final  assembly 
often  occurs  at  a  plant  close  to  the  final  desti¬ 
nation  in  the  West,  to  avoid  trapping  the 
entire  machine  on  a  boat  for  30  days.  For 
example,  HP  manufactures  the  cores  of  its 
servers  in  China— including  heavy,  less  time- 
sensitive  pieces  such  as  the  enclosure,  wiring 
and  power  supply— then  packs  them  together 
like  sardines  in  huge  shipments  on  cargo 
ships  and  sends  them  to  final  assembly  loca¬ 
tions  in  the  United  States  and  Europe. 
Smaller,  expensive  and  perishable  compo¬ 
nents  such  as  memory,  hard  drives  and 
microprocessors  are  shipped  directly— often 
by  air— to  those  final  assembly  locations. 

But  when  you  pull  a  supply  chain  apart 
into  pieces,  you  need  information  in  order  to 


Demand  Forecasting 


Do  you  worry  that  the  cost  advantages  of  doing 
business  in  China  might  disappear  in  the  next 
decade?  Don't.  To  find  out  why  they  probably 
won't  vanish,  read  GAMBLING  ON  BILLIONS 
in  the  online  version  of  this  story  at 
www.cio.com/101505. 

cio.com 


make  those  pieces  come  back  together  at  the 
right  time  and  place.  Huge,  diversified  global 
suppliers  such  as  Flextronics  and  Solectron 
have  emerged  to  do  most  of  the  manufactur¬ 
ing  for  original  equipment  manufacturers  like 
HP  and  IBM.  With  these  companies,  who  per¬ 
form  the  lion’s  share  of  the  Chinese  supply 
chain  for  computer  makers,  the  IT  links  are 
deep.  “ERP,  planning  systems  and  EDI 
become  important  [to  connect  suppliers  who 
make  semifinished  goods],”  says  Dick  Con¬ 
rad,  senior  vice  president  of  global  operations 
supply  chain  for  HP.  “Suppliers  need  to  be 
able  to  share  forecasts  and  customer  orders  in 
real-time.  We  all  need  inventory  visibility  and 
in-transit  visibility  so  we  can  plan  all  along  the 
supply  chain.”  For  smaller,  independent  sup¬ 
pliers  in  China,  HP  relaxes  its  information 
connectivity  requirements  and  offers  its  own 
systems  through  a  supplier  Web  portal  to 
exchange  basic  information  such  as  delivery 
dates  and  purchase  orders. 

The  risk  of  late  delivery  decreases  in  this 
highly  connected  model,  but  IT  overhead 
will  be  much  higher  than  under  the  “slow- 
boat  from  China”  model.  Yet  overall  IT  costs 
remain  low  for  HP,  according  to  Gianpaolo 
Callioni,  HP’s  director  of  supply  chain  strat¬ 
egy  and  communications.  HP  is  procuring 
computers  in  such  high  volumes  from  its 
major  suppliers  that  the  IT  costs  pale  in  com¬ 
parison  to  the  losses  Callioni  says  he  would 
incur  from  slow  deliveries  or  from  installing 
a  stale  microprocessor  or  hard  drive  in  his 
machines.  “Microprocessors  can  lose  40  to 
50  percent  of  their  value  in  a  year,”  he  says. 

IT’s  power  in  China  today  is  in  linking  dis¬ 
aggregated  supply  chains  and  finding  ways 
to  compensate  for  poor  procurement  and 
logistical  capabilities.  In  other  words,  IT  can 
cut  lead  times  in  some  places  where  guanxi 
cannot.  In  sum,  Chinese  labor  can  reduce  the 
total  cost  of  products.  And  IT  can  reduce  the 
risks  that  come  with  that  cost  reduction:  lead 
time  and  supply  variability.  “CIOs  should  be 
part  of  the  China  decision,”  says  Peter  Regen, 
vice  president  and  partner  of  global  visible 
commerce  for  Unisys.  “That’s  because  they 
can  determine  the  costs  of  those  risks  to  jus¬ 
tify  the  investment.”  HE! 


Executive  Editor  Christopher  Koch  can  be  reached  at 
ckoch@cio.com. 


56 


OCTOBER  15,  2005  |  www.cio.com 


N  ETWORK 

The  largest  and  fastest 
national  wireless  data  network. 
The  largest  U.S.  provider  on 
the  global  standard. 


EXPERTISE 

Our  people  and  partners 
make  wireless  work  for 
more  businesses  than  any 
other  wireless  carrier. 


APPLICATIONS 

The  broadest  and  deepest 
portfolio  of  wireless 
business  solutions. 


SERVICE 

24/7  enterprise-grade 
support.  And  a  service 
staff  dedicated  solely 
to  business  people. 


real  time 


gets  Corporate 


Express  there  in  no  time. 


With  its  24/7  dedicated  business 
service  team,  Cingular  gave 
Corporate  Express  the  support, 
training,  and  technology  needed 
to  migrate  from  a  paper-based 
delivery  system  to  a  real-time 
wireless  solution.  From  system 
installation  and  operation  to 
employee  training,  the  Cingular 
service  team  ensured  a  seamless 


transition  to  the  ALLOVER™  network,  the  largest  digital  voice  and 
data  network  in  America.  For  the  leader  in  office  supplies,  Cingular 
increased  driver  productivity  while  reducing  administrative  costs. 


CINGULAR  MAKES  BUSINESS  RUN  BETTER 


X  cingular 

raising  the  barr.iill 


Find  out  how  Cingular  can  make  your  business  run  better: 

CALL  your  account  representative  -or-  CLICK  cingular.com/businessleader 


Circular's  ALLOVER  data  network  covers  over  250  million  people  and  is  growing. 

Coverage  is  not  available  in  all  areas.  Global  coverage  based  on  coverage  in  174  countries.  Fastest  claim  compares  Cingular's  measured  speed  of  its  EDGE 
network  to  other  carriers'  speed  claims  for  their  national  data  networks.  All  marks  property  of  their  respective  owners.  ©2005  Cingular  Wireless.  All  rights  reserved. 


Six  Simple 


You  can  save  money,  increase  revenues  and 
generate  loyalty  when  you  let  customers 
help  themselves.  But  only  if  you  do  it  right. 


BY  ALICE  DRAGOON 


Reader  ROI 

::  Why  many  self-service 
projects  fail 

::  Examples  of 
successful  systems 

::  Rules  for  getting 
self-service  right 


Chances  are  it’s  been  about  20  years  since  you’ve  stood 
in  line  at  your  bank  to  get  cash  from  a  teller.  ATMs  offer 
such  convenience— and  are  so  much  more  efficient  for 
banks— that  no  one  can  fathom  going  back  to  the  old  days. 
Ever  since  then,  companies  have  been  eager  to  tap  into 
the  free  labor  pool  of  customers  who  can  be  convinced  to 
help  themselves.  Through  self-service,  organizations  have 
been  able  to  reduce  labor  costs,  increase  revenue  from 
orders  of  out-of-stoek  items  or  increase  the  loyalty  of  cus¬ 
tomers  who  appreciate  speedier  service. 


58  OCTOBER  15,  2005  |  www.cio.com 


a 


PHOTO  BY  STAN  KAADY 


Rocky  Wiggins,  CIO  of 

AirTran  Airways,  makes 
sure  the  airline’s  self- 
service  kiosks  are  simple 
to  use  and  offer  clear 
benefits  for  customers. 


But  as  surely  as  you  love  using  ATMs,  you’ve  walked  away  from 
a  kiosk  that’s  confusing  or  abandoned  an  unseannable  item  at  the 
self-checkout  line— and  some  company  lost  a  sale.  The  reality  is  that 
although  some  self-service  projects  pay  off  handsomely,  the  ROI 
from  such  projects  can  be  elusive.  Francie  Mendelsohn,  president  of 
Summit  Research  Associates,  estimates  that  15  percent  to  20  percent 
of  all  self-service  kiosk  projects  ultimately  fail.  Success  with  kiosks 
and  self-checkout  systems  is  often  tricky  to  achieve  because  so  many 
things  can  go  wrong.  Such  systems  won’t  work  if  customers  have  no 
incentive  to  use  them.  If  kiosks  are  too  complex,  customers  get  con¬ 
fused  and  give  up  in  frustration.  Sometimes,  self-service  fails  for  the 
simple  reason  that  customers  don’t  know  it’s  an  option  or  are  wary 
of  trying  it  on  their  own. 

American  Greetings  once  spent  millions  on  kiosks  that  enabled 
people  to  design  their  own  cards,  only  to  find  that  customers  weren’t 
willing  to  pay  a  premium  for  their  own  creativity.  Grocery  chain 


Hannaford  Bros,  fared  better,  but  its  first  attempt  at  self-service  fiz¬ 
zled.  In  the  late  ’90s,  Hannaford  piloted  handheld  self-checkout 
scanners  in  its  Scarborough,  Maine,  store.  The  few  customers  who 
used  the  scanners  loved  them,  says  Hannaford  CIO  Bill  Homa,  and 
tended  to  spend  more.  But  no  more  than  11  percent  of  customers 
used  the  tool,  so  Homa  couldn’t  justify  a  full  rollout.  Homa  sus¬ 
pected  that  customers,  who  were  required  to  sign  out  a  scanner  but 
still  had  to  pay  a  cashier,  found  the  scanners  too  much  of  a  bother.  So 
Hannaford  turned  to  the  more  convenient  self-checkout  lanes.  Today, 
as  much  as  28  percent  of  customers  use  the  service  and  the  ROI  is 
slightly  ahead  of  breakeven. 

Companies  such  as  Hannaford  that  have  done  well  with  self-serv¬ 
ice  succeed  by  following  six  simple  rules,  which  they  derived  from 
their  own  and  others’  mistakes.  Learn  from  them,  and  you  can  fix 
what  ails  your  own  self-service  systems— or  even  get  them  right  the 
first  time. 


www.cio.com  |  OCTOBER  15,  2005 


59 


Customer  Service 


Provide  a  Benefit  to  Customers 

Self-service  has  to  make  something  faster,  cheaper  or  better  for  cus¬ 
tomers,  says  Sam  Israelit,  a  Bain  &  Co.  partner  and  retail  IT  strategy 
expert.  “If  it  doesn’t  do  one  of  those  three,”  he  says,  “you’re  wasting 
your  money.” 

For  instance,  kiosks  that  the  Mayo  Clinic  once  installed  in  Target 
stores  in  Arizona  offered  consumers  little  to  no  value.  The  kiosks 
were  intended  to  sell  books,  newsletters  and  a  CD  for  kids  about 
anatomy.  Yet  instead  of  setting  up  the  kiosk  to  demonstrate  the  CD 
or  let  consumers  swipe  their  cards  to  order  one,  Mayo  just  displayed 
the  CDs  and  books  on  a  rack.  Meanwhile,  the  clinic  squandered  the 
kiosk  screen:  Set  up  to  provide  health  information  to  customers,  it 
spewed  out  too  much  data.  The  “coughs  and  colds”  entry,  for  instance, 
included  a  12-page,  single-spaced  list  of  over-the-counter  and  pre¬ 
scription  medications.  After  four  months,  Mayo  Clinic  pulled  the  plug. 

On  the  other  hand,  airline  passengers  are  willing  to  use  kiosks  to 
avoid  long  lines.  Although  a  check-in  agent  will  beat  a  kiosk  user  in 
a  time  trial,  kiosks  make  it  possible  for  multiple  simultaneous  check¬ 
ins,  which  make  for  shorter  lines.  “The  time  the  customer  has 
invested  from  the  time  they  arrive  at  the  counter  to  the  time  they  go 
to  the  gate  is  shorter,  even  though  individual  transactions  can  be 
longer,”  says  Rocky  Wiggins,  CIO  of  AirTran  Airways.  In  some 
cases,  even  the  perception  that  self-service  technology  saves  time  is 
enough  to  get  customers  happily  using  it.  Homa  says  that  customers 
think  Hannaford’s  self-checkout  is  speedier,  even  though  cashiers 
generally  scan  more  than  four  times  as  many  items  a  minute  as  the 
average  customer.  “Customers  are  busy  scanning  and  not  waiting,” 
he  says,  “so  it  just  seems  faster.” 


Make  Transactions  Intuitive 

The  simpler  the  transaction,  the  easier  it’s  translated  into  an  intuitive 
self-service  process.  “The  secret  of  self-service  is  four  words:  Don’t 
make  me  think,”  Mendelsohn  says.  “If  the  interface  is  confusing,  peo¬ 
ple  are  not  going  to  stand  there  and  Figure  it  out.  They’re  just  gone.” 

Under  pressure  to  reduce  costs,  airlines  have  succeeded  at  shift¬ 
ing  a  large  chunk  of  their  routine  check-in  transactions  to  kiosks. 
After  all,  if  a  passenger  just  needs  a  boarding  pass,  having  an  agent 
confirm  the  flight  information  and  print  it  adds  cost  but  no  value  (the 
average  cost  of  printing  boarding  passes  drops  from  $3.68  to  just 
16  cents  when  customers  do  it  themselves).  When  US  Airways  intro¬ 
duced  self  check-in  kiosks  in  1999,  the  goal  was  to  make  them  so  intu¬ 
itive  that  they’d  be  “dead  simple,”  even  for  people  who  were  not 
technically  savvy,  says  Mark  Kuhns,  managing  director  of  market¬ 
ing  and  e-commerce.  After  extensive  testing  in  focus  groups,  the 
airline  created  a  process  that  is  still  largely  in  use:  Passengers  swipe 
a  credit  card  or  loyalty  card  to  identify  themselves,  confirm  their 
flight  information,  then  choose  a  seat  or  confirm  a  previous  seat 

60  OCTOBER  15,  2005  |  www.cio.com 


Customer-Friendly  Kiosks 

A  well-designed  kiosk  is  easy  to  use.  Francie 

Mendelsohn,  president  of  Summit  Research 

Associates,  has  seen  enough  kiosks  to  know 

which  features  are  essential  to  usability. 

Here’s  her  list: 

»  Big  buttons.  Small  touch-screen  buttons  will  foil  large  fingers. 

»  Feedback.  When  you  touch  a  button  onscreen,  it  should 
“depress”  and  change  color. 

»  Readability.  Dark  text  on  a  light  background  is  the  most  legible. 

»  Consistency.  Give  every  touch  screen  the  same  look  and  feel. 
Even  slight  deviations  can  confuse  users. 

»  Speed.  Have  enough  bandwidth  so  that  users  don’t  have  to  wait 
for  transactions  to  be  processed. 

»  Cleanliness.  Choose  dark-colored  kiosk  cabinets  to  hide  finger 
smudges,  or  use  enclosures  made  of  fingerprint-resistant  materials. 

»  Short  screens.  Customers  prefer  not  to  scroll. 

»  Clear  directions  and  unambiguous  choices.  Remember 
that  people  are  standing  up.  If  it’s  confusing,  they’ll  walk  away. 

»  Minimal  animation.  Fancy  flashing  lights  and  movement  will 
slow  down  transactions  and  annoy  customers. 

»  No  annoying  sounds.  Employees  will  pull  the  plug.  -A.D. 


assignment.  Then  they’re  asked  if  they  have  any  bags  to  cheek;  if  yes, 
they  enter  how  many.  A  final  screen  offers  them  the  option  of  print¬ 
ing  an  itinerary.  The  kiosk  then  prints  a  boarding  pass  and  an  itin¬ 
erary.  The  airline  claims  that  customers  without  bags  to  check  can 
complete  the  entire  process  in  as  little  as  30  seconds. 

To  further  simplify  the  process  for  passengers  who  don’t  carry 
loyalty  cards— or  who  just  don’t  want  to  pull  out  their  wallets— the 
airline  added  a  cardless  access  feature  in  early  2004.  Once  cus¬ 
tomers  were  allowed  to  identify  themselves  by  entering  their  name 
or  flight  number  on  the  touch  screen,  kiosk  usage  went  up  25  per¬ 
cent.  Today,  kiosks  handle  50  percent  to  55  percent  of  all  check-ins 
at  US  Airways,  in  line  with  the  industry  average. 

When  companies  add  complexity  to  their  transactions,  they  run  the 
risk  of  confusing— or  worse,  losing— customers.  Complexity  increases 
the  time  customers  need  to  spend  at  the  kiosk,  as  well  as  the  likelihood 
that  they’ll  get  stuck  and  need  to  ask  for  help.  At  AirTran,  check-in 
kiosks  from  Kinetics  are  programmed  to  refer  nonroutine  transactions 
to  agents.  For  instance,  if  two  passengers  with  the  same  last  name  and 
first  initial  are  leaving  from  the  same  airport,  the  kiosk  will  ask  for  the 
destination  city.  If  that  tiebreaker  doesn’t  identify  the  person,  the  kiosk 
will  prompt  for  the  travel  confirmation  number.  But  if  the  passenger 
doesn’t  have  it,  she  will  be  instructed  to  see  an  agent,  who  can  determine 
her  identity  more  quickly  and  free  up  the  kiosk  for  the  next  customer. 

“We  don’t  try  to  handle  all  the  minute,  complex  scenarios  that 
may  come  about,”  says  Wiggins.  “If  [your]  target  is  to  handle  100 


Multi-Vendor  Storage  Services  from  Kodak 


10%  rebate  on  data  storage  services. 
Watch  your  productivity  soar.  No  limits. 

Take  flight  with  KODAK  Service  &  Support  and  watch  1 0%  of  your  first  year  maintenance  agreement  disappear 
into  thin  air.*  As  a  world  leader  in  imaging  technology,  Kodak  gives  your  company  ultimate  service  capabilities  for 
all  kinds  of  data  storage,  from  optical  and  tape  libraries  to  NAS/SAN.  You  get  highly-trained,  certified  field 
engineers  whenever  and  wherever  you  need  them,  worldwide  parts  availability,  and  exceptional  on-site  and  help 
desk  service  24/7— at  a  10%  savings  over  the  regular  cost.  So  watch  your  productivity  spread  its  wings  and  soar 
with  market-leading  service  from  Kodak. 

This  offer  has  been  extended.  Get  on  board  by  October  31, 2005. 

Call  1  -800-944-6 171,  ext.  54  or  sign  up  at  www.kodak.com/go/less lOpercent. 

Featured  storage  manufacturers  we  service: 

ADIC;  Quantum/ATL;  StorageTek;  LeftHand  Networks;  Xyratex;  Plasmon; 

Spectra  Logic;  Breece  Hill  and  more. 

'Offer  applies  to  eligible  storage  equipment 


©  Kodak,  2005.  Kodak  is  a  trademark  of  Kodak. 


Kodak 


Robert  Machen,  Hilton’s  vice  president  of  corporate  and  brand  solu¬ 
tions,  assigns  staff  to  help  customers  with  kiosks  when  needed. 

percent  of  them,  you  will  be  in  development  forever  and  will  over¬ 
complicate  the  process  for  most  of  your  customers.” 

Hilton  had  unsuccessfully  piloted  a  self  check-in  kiosk  in  its 
hotels  in  1997.  Before  trying  again  in  2004,  Robert  Machen,  vice 
president  of  corporate  and  brand  solutions,  and  Chuck  Scoggins, 
vice  president  of  OnQ  Customer  Solutions  (OnQ  is  Hilton’s  inte¬ 
grated  technology  platform),  made  simplicity  their  guiding  princi¬ 
ple.  “The  fewer  things  on  the  screen,  the  better,”  says  Machen. 
Hilton’s  kiosk  replicates  the  steps  of  the  familiar  hotel  check-in 
process  so  that  the  self-service  version  seems  logical  to  guests. 

The  new  kiosks  have  proven  to  be  effective  line-busters.  One  day 
in  March  2004,  the  1, 544-room  Chicago  Hilton  &  Towers  was 
expecting  1,100  arrivals.  Although  that  many  arrivals  would  nor¬ 
mally  lead  to  significant  lines  at  peak  check-in  times,  says  Machen, 
the  kiosks  processed  33  percent  of  the  day’s  check-ins,  and  there 
was  no  line  at  the  front  desk  all  day.  He  adds  that  kiosks  have  also 
prevented  lines  in  similar  situations  at  Hilton’s  other  large  hotels. 


Show  Customers  What  to  Do 


Ideally  kiosks  should  be  so  intuitive  that  customers  can  figure  out 
how  to  use  them  on  their  own.  But  just  because  you’re  offering  self- 
service  doesn’t  mean  you  should  leave  customers  to  fend  entirely  for 
themselves,  especially  when  you  launch  a  new  system.  Machen  and 
Scoggins  say  that  one  of  the  main  reasons  Hilton’s  first  kiosks 


didn’t  take  off  was  that  the  hotelier  didn’t  do  enough  to  edu¬ 
cate  guests  or  help  them  when  they  ran  into  trouble.  “Our 
original  approach  with  kiosks  in  1997  was,  ‘This  is  self- 
service.  It  should  be  like  an  ATM,  where  you  set  it  out  and 
it  works  100  percent  of  the  time,”’  recalls  Machen. 

This  time  around,  Hilton  is  going  with  an  assisted  self- 
service  model,  making  sure  there’s  always  a  service  agent 
available  to  teach  guests  how  to  use  the  kiosks  and  help  if 
they  run  into  problems.  Some  agents  are  equipped  with  hand¬ 
held  devices  that  give  them  full  access  to  front-desk  systems. 
If  they  can’t  resolve  an  issue,  they’ll  make  sure  the  guest  gets 
expedited  service  there.  In  addition,  the  agents  also  serve  as 
greeters  and  are  accessible  to  guests  who  need  directions  or 
have  questions. 

Stores  using  self-checkouts  typically  have  one  person 
manning  four  self-service  lanes.  At  the  Pittsburgh-based 
Giant  Eagle  grocery  chain,  a  paystation  attendant  monitors 
the  self-checkout,  helps  customers  with  problems  and 
watches  for  fraud.  In  some  cases,  a  bagger  is  also  assigned, 
according  to  CIO  Russ  Ross.  With  such  assistance,  as  much 
as  25  percent  of  customers  use  self-checkouts,  accounting  for 
20  percent  of  sales.  Even  when  staff  are  available  to  assist  cus¬ 
tomers  with  self-checkout,  the  savings  on  checkout  labor  can  still 
run  from  40  percent  to  60  percent,  says  Israelit. 

Because  employees  play  such  a  critical  role  in  training  customers 
to  use  self-service  technology,  it’s  essential  to  get  their  buy-in  up 
front.  “If  they  see  it  as  a  threat,  the  kiosk  is  going  to  fail,”  says 
Mendelsohn.  Instead,  they  need  to  see  self-service  as  a  way  to  help 
them  do  their  jobs  more  effectively.  At  AirTran,  Wiggins  says,  the 
airline  convinced  employees  to  get  behind  the  technology  by  giving 
them  self-service  targets  to  shoot  for. 

At  the  same  time,  don’t  force  self-service  on  customers.  Self-serv¬ 
ice  can  shortchange— and  alienate— those  who  genuinely  need  per¬ 
sonal  attention.  Israelit  advises  that  high-value  clients  and 
customers  with  complex  problems  should  never  be  foisted  off  onto 
a  kiosk.  “Self-checkout  at  Tiffany’s  is  not  going  to  work.” 


Choose  the  Right  Locations 

The  location  of  a  kiosk  can  have  a  lot  to  do  with  its  success.  Hilton  has 
found  that  from  20  percent  to  30  percent  of  guests  use  self  check-in 
at  hotels  near  airports  compared  with  10  to  12  percent  of  guests  over¬ 
all.  The  company  concludes  that  people  who  fly  are  accustomed  to 
using  kiosks  and  like  to  have  that  option  at  their  hotel. 

Following  this  logic,  Hilton  has  installed  a  kiosk  in  the  Honolulu 
airport  so  that  guests  can  check  themselves  in  while  they  wait  for 
their  baggage.  Hilton’s  IT  department  monitors  and  supports  that 
kiosk  remotely  over  the  Web,  as  it  would  any  other  kiosk.  (Remote 
monitoring  software  that  pings  kiosks  to  make  sure  they’re  up  and 
running  is  essential,  notes  Israelit:  You  can’t  count  on  someone  like 
the  cashier  in  a  convenience  store  to  tell  you  your  kiosk  is  broken.) 


62 


OCTOBER  15,  2005  |  www.cio.com 


PHOTO  BY  MARK  ROBERT  HALPER 


NAME 


Mr.  50,000  Global 
Remote  and  Mobile 
Users  Connected 
Without  a  VPN. 


"At  Nissan,  we  expect  to  save  at  least  $135  million 
annually  thanks  to  the  efficiencies  that  Windows 
Server  2003  and  Exchange  Server  2003  are 
helping  us  achieve." 

Toshihiko  Suda 

Senior  Manager,  Nissan  Motor  Company,  Ltd. 


WM  ■ 


NISSAN 


Make  a  name  for  yourself  with  Windows  Server  System.  An  upgrade  to  Microsoft® 
Windows  Server  System™  made  it  possible  for  50,000  worldwide  employees  at 
Nissan  Motor  Company  to  have  more  secure  remote  access  to  their  e-mail  and 
calendars  from  any  Internet  connection,  without  the  hassle  and  expense  of 
a  VPN.  Here's  how:  By  deploying  Windows  Server™  2003  and  Exchange  2003, 
not  only  did  Nissan  IT  meet  the  CEO's  demand  for  better  global  collaboration, 
they  expect  to  save  at  least  $135  million  by  streamlining  their  messaging 
infrastructure.  To  get  the  full  Nissan  story  or  find  a  Microsoft  Certified  Partner, 
go  to  microsoft.com/wssystem 


Microsoft' 


Windows 
Server  System 


Customer  Service 


Self-service  has  to  make  something  faster,  cheaper  or  better 
for  customers.  If  it  doesn’t,  you’re  wasting  your  money. 


Someone  from  Hilton  also  makes  sure  the  Honolulu  airport  kiosk  is 
stocked  with  paper  and  room  key  cards. 

Where  a  kiosk  is  located  inside  a  hotel,  airport  or  shop  also  mat¬ 
ters.  You  have  to  put  kiosks  where  people  are  most  likely  to  want  to 
use  them.  “If  you’ve  got  400  people  in  a  conference  room,”  says 
Machen,  “you  know  they  all  need  to  check  out  and  head  to  the  air¬ 
port,  so  you  can  put  a  kiosk  right  in  front  of  the  conference  area.”  But 
because  customer  needs  or  business  needs  may  change,  kiosks  must 
be  easy  to  move.  Hilton’s  1997  kiosks  were  so  large  and  cumber¬ 
some  that  once  installed,  they  couldn’t  be  moved,  and  this  fact  may 
have  contributed  to  their  poor  usage. 

Kiosks  are  more  streamlined  now,  but  it’s  still  expensive  to  pull 
cables  for  a  new  location.  So  this  time,  Hilton  went  wireless.  Like¬ 
wise,  AirTran’s  Wiggins  prefers  secure,  wireless  kiosks  because  they 
are  cheaper  and  provide  greater  flexibility.  “Airports  are  notorious  for 
saying,  ‘Move  from  this  ticket  counter  location  to  that  one,”’  he  says. 
Sometimes  AirTran  doesn’t  even  have  to  move  a  wireless  access  point 
to  set  up  kiosks  at  the  new  location.  And  if  volume  justifies  installing 
extra  kiosks,  it’s  just  a  matter  of  getting  them  delivered  and  assembled. 

Wherever  you  locate  a  kiosk,  make  sure  customers  can  find  it 
easily.  When  the  U.S.  Postal  Service  rolled  out  its  Automated  Postal 
Center  (APC)  kiosks  last  year,  it  needed  to  inform  customers  that 
they  could  use  it  to  buy  stamps  and  post  packages.  The  USPS  drew 
attention  to  the  kiosks  with  bright  yellow  footprints  on  the  floor,  as 
well  as  large  yellow  circles  with  red  arrows  that  point  to  the  APCs 
and  say  things  like,  “New.  Buy  Stamps.  Automated  Postal  Center.” 


Beware  of  Legacy  Systems 

Investing  in  self-service  technology  can  be  a  bad  idea  if  your  technol¬ 
ogy  is  outdated  or  if  the  data  needed  for  self-service  transactions  isn’t 
integrated.  “If  you  work  largely  off  legacy  systems,  [integration]  can 
be  a  significant  challenge,”  says  Israelit.  “It  may  require  you  to  upgrade 
overall  systems,  and  if  so,  the  economics  may  not  make  sense.” 

Hilton’s  first  attempt  to  introduce  kiosks  failed  in  part  because  of 
integration  problems.  The  kiosks  were  connected  to  Hilton’s  pro¬ 
prietary  property  management  system,  which  stores  information  on 
reservations  and  occupancy,  through  what  Machen  calls  “archaic” 
serial  interfaces.  As  a  result,  the  kiosks  sometimes  had  trouble  com¬ 
municating  with  the  property  system  and  had 
limited  ability  to  resolve  reservation  or  room 
selection  issues.  Because  of  this,  more  than  30 
percent  of  the  time  customers  were  forced  back 
to  the  check-in  line.  Hilton  shut  down  the  pilot 
within  a  year.  Since  then,  Scoggins  and  his  team 
have  deployed  a  Web  services  layer  on  top  of  the 


property  system,  making  it  possible  to  create  a  reliable  interface  to 
the  kiosks  using  Web-based  transactions.  They  also  upgraded  the 
property  system  to  separate  business  rules  from  the  user  interface 
so  that  kiosks  can  access  the  business  rules  from  the  property  sys¬ 
tem  and  IT  is  spared  the  work  of  recreating  them. 

To  make  integration  easier,  Israelit  advises,  also  use  the  same 
content  management,  logistics  or  product  information  systems  you 
use  for  conventional  transactions  rather  than  create  extra  systems 
to  manage  kiosk  content. 


Why  Retailers  Like  Self-Service 


A  REPORT  FROM  SUMMIT  RESEARCH 
ASSOCIATES  outlines  trends  in  retail  kiosk 
use.  Find  it  online  at  www.cio.com/101505. 

cio.com 


Take  a  Test-Drive 

U.S.  Postal  Service  (USPS)  CTO  Robert  Otto  recalls  when  customers 
first  began  using  the  postal  service’s  APC  kiosks,  and  it  was  possi¬ 
ble  for  them  to  get  their  fingers  caught  in  the  heavy  door  to  the  pack¬ 
age  drop.  This  problem  was  identified  during  the  pilot  phase  and  the 
USPS  modified  the  door  before  rolling  out  to  its  first  2,500  locations. 

Having  pilots  in  several  locations  also  gave  the  USPS  a  chance  to 
test  its  processes  for  supporting  the  system.  Staff  learned,  for  instance, 
that  they  needed  to  rethink  the  process  of  pushing  virus  protection  to 
the  kiosks.  Because  the  kiosks  are  located  in  post  office  lobbies  that  are 
open  around  the  clock,  Otto’s  team  could  potentially  cause  delays  for 
users  whenever  they  installed  patches  or  updates.  Piloting  allowed  the 
team  to  figure  out  the  best  way  to  manage  that  process  in  order  to  min¬ 
imize  its  impact  on  customers.  The  pilots  also  helped  the  USPS  fine- 
tune  the  services  the  APCs  offered.  “Initially  we  let  customers  buy  one 
stamp,”  says  George  Wright,  manager  of  finance  and  administration 
systems.  “But  we  found  out  that  the  cost  of  the  transaction  was  greater 
than  the  cost  of  the  stamp.”  Today,  APCs  sell  stamps  only  in  multiples. 

The  time  spent  fine-tuning  the  kiosks  paid  off.  A  month  after  the 
first  ones  were  deployed,  a  survey  found  that  98  percent  of  cus¬ 
tomers  who  used  them  felt  that  the  APC  was  easy  to  use,  100  percent 
said  they’d  use  it  again  and  98  percent  indicated  they’d  use  it  after 
normal  office  hours.  To  date,  the  USPS  has  generated  more  than 
$200  million  in  revenue  from  the  APCs  and  has  reduced  staffing  at 
post  office  counters  enough  to  save  $12  million  during  FY04. 

Ultimately,  success  with  self-service  comes  down  to  understand¬ 
ing  your  customers  and  designing  systems  that  meet  their  needs  as 
well  as  yours.  If  they  value  such  benefits  as  shorter  lines  or  more 
control  over  their  transactions,  letting  cus¬ 
tomers  serve  themselves  could  benefit  your 
company  as  well.  E0 


Alice  Dragoon  is  a  freelance  writer  in  Lexington,  Mass. 
Send  feedback  to  Senior  Editor  Elana  Varon  at 
evaron@cio.com. 


64 


OCTOBER  15,  2005  |  www.cio.com 


Juniper  Ulo^  Net 


^"7 '?miL*k  fjcfU  &M:C 

Wa  tAftr  W 


»  Tired  of  cal  s  th  t  so  nd  like  th  s?  Want  cost  benefits  of  voice  over  IF?  but  sick 
of  delay  and  dropped  data?  Try  Secure  and  Assured  VoIP,  only  from  Juniper  Networks.  Juniper  ensures 
voice  receives  higher  priority  and  bandwidth,  for  highest-quality  performance.  And  our  application- 
aware  platforms  stop  hackers,  DoS  attacks  -  all  network  threats.  Expect  more  from  your  VoIP  Juniper 
your  net  and  get  unrivaled  performance  and  security:  http://www.juniper.net/solutions/voice/ 


888-JUNIPER  (1-888-586-4737) 


This  has  not  been  a  banner 

year  for  information  security. 

From  a  stolen  laptop  full  of  Social  Security  numbers  to  a  website  that  lost  oceans  of 
credit  card  data,  commonsense  security  procedures  seem  in  short  supply.  “Almost  with¬ 
out  exception  we’re  living  in  a  world  where  no  one  thinks  to  lock  the  stable  doors  until 
the  horses  have  escaped,”  says  David  Friedlander,  a  senior  analyst  at  Forrester  Research. 

CIOs  can  spend  millions  on  firewalls,  intrusion  detection  systems  and  whatever  else 
their  security  vendors  are  selling,  but  when  that  VP  of  marketing  decides  to  sync  his 
work  laptop  with  his  unsecured  home  PC— and  there’s  no  policy  or  training  to  make  him 
think  twice— your  million-dollar  security  efforts  become  worthless. 

With  that  in  mind,  here  are  10  common  security  ailments  and  10  practical  remedies. 

They’re  easy  and  inexpensive,  and  you  can  do  them  right 
now.  All  involve  some  form  of  user  education  and  training. 
“How  do  you  stop  stupid  mistakes?”  asks  Mark  Lobel,  a  part¬ 
ner  in  the  security  practice  at  PricewaterhouseCoopers.  “It’s 
education  and  security  awareness— basic  blocking  and  tack¬ 
ling— and  it  does  not  have  to  cost  a  fortune.” 

www.cio.com  ]  OCTOBER  15,  2005  67 


Reader  ROI 

::  Common  security 
problems  and  how 
to  fix  them 

::  Steps  for  preventing 
future  holes 


ILLUSTRATIONS  BY  TAVIS  COBURN 


Security  Fixes 


Save  As... 

The  Hole  |  A  company  familiar  to  Adam  Couture,  a  principal  ana¬ 
lyst  at  Gartner  Research,  searched  its  Exchange  servers  for  docu¬ 
ments  called  “passwords.doc.”  There  were  40  of  them. 

The  Problem  |  Uneducated  users.  “Some  of  these  [mistakes]  are 
so  obvious  that  you  think,  ‘Nobody  would  do  that,’”  Couture  says. 
“But  you  give  people  too  much  credit.”  Any  hacker,  malcon¬ 
tent  employee  or  grandmother  with  a 
minimal  amount  of  computer  know¬ 
how  could  unlock  those  documents  and 
ravage  your  company’s  most  sensitive 
applications  (not  to  mention  all  of  your 
employees’  personal  information). 

The  Solution  |  First,  CIOs  need  to 
acknowledge  that  there  might  be  pass¬ 
words.doc  files  on  their  networks,  find 
them  and  destroy  them.  Then,  via  e-mail 
or  a  companywide  meeting,  they  need  to 
explain  to  users  why  keeping  a  file  like  this 
on  the  network  is  a  really,  really  bad  idea. 

Ever  Heard  of  “bcc:”? 

The  Hole  |  On  June  13,  2005,  the  Uni¬ 
versity  of  Kansas  Office  of  Student  Finan¬ 
cial  Aid  sent  out  an  e-mail  to  119  students, 
informing  them  that  their  failing  grades 
put  them  at  risk  of  losing  their  financial 
aid.  The  e-mail  included  all  119  students’ 
names  within  the  e-mail  address  list. 

The  Problem  |  Besides  embarrassing 
their  students,  U.  Kansas  administrators 
may  have  violated  the  Department  of  Education’s  Family  Education 
Rights  and  Privacy  Act,  which  protects  the  privacy  of  students’ 
grades  and  financial  situations. 

The  Solution  |  First,  companies  need  a  policy  that  explicitly 
states  what  can  and  cannot  be  sent  out  via  e-mail  or  IM.  “A  lot  of  com¬ 
panies  don’t  have  good  acceptable-use  policies  for  e-mail,”  says 
Michael  Osterman,  founder  of  Osterman  Research.  He  suggests  that 
they  map  out  how  employees  should  handle  confidential  informa¬ 
tion,  offer  them  training  and  have  them  sign  a  one-page  document 
stating  that  they  have  taken  the  course  and  understand  what  to  do. 
University  of  Kansas  officials  say  they  have  “undertaken  internal 
measures— such  as  reviewing  e-mail  and  privacy  policies,  and  train¬ 
ing  staff— to  ensure  it  does  not  happen  again.” 

Osterman  also  suggests  that  CIOs  add  an  outbound  scanning 
system  to  the  existing  e-mail  system  that  looks  for  sensitive  content 
in  e-mails  (such  as  16-digit  numbers,  which  could  be  credit  card 
numbers).  He  says  these  systems  are  inexpensive  and  are  offered  by 
scores  of  messaging  vendors;  some  vendors  will  even  do  a  compli¬ 
mentary  scan  of  a  company’s  messages  to  see  how  bad  it  might  be. 
One  vendor  that  he’s  familiar  with  started  scanning  a  new  cus¬ 
tomer’s  network  and  found  10  violations  in  10  minutes. 


No  One  Noticed?  Really? 

The  Hole  |  Orazio  Lembo,  of  Hackensack,  N.J.,  made  millions  by 
purchasing  account  information  from  eight  bank  employees  who 
worked  at  several  financial  institutions,  including  Bank  of  America, 
Commerce  Bank,  PNC,  Wachovia  and  others.  Lembo  paid  $10  for 
each  pilfered  account.  Most  of  the  felonious  employees  were  high- 
level,  but  two  bank  tellers  were  also  arrested.  Lembo  had 
approximately  676,000  accounts  in  his  database, 
according  to  Capt.  Frank  Lomia  of  the  Hacken¬ 
sack  Police  Department,  an  official  investi¬ 
gating  Lembo. 

The  Problem  |  Capt.  Lomia  says 
that  many  of  Lembo’s  contacts  usually 
accessed  and  sold  100  to  200  accounts 
a  week— but  one  managed  to  access 
500  in  one  week.  “What  surprised  me 
is  that  someone  could  look  at  500 
accounts  and  have  no  one  notice,”  he 
says. 

The  Solution  |  CIOs,  with  the  help 
of  the  HR,  security  and  audit  functions, 
need  to  institute  a  clearly  defined  policy 
on  who  has  access  to  what  information, 
how  they  can  access  it  and  how  often. 
After  all,  with  HIPAA,  Sarbanes-Oxley 
and  Gramm-Leach-Bliley  looking  over 
CIOs’  shoulders,  compliance  and  con¬ 
trols  have  to  be  on  the  top  of  the  to-do 
list.  “Through  all  the  phases  of  infor¬ 
mation  creation  to  maintenance  and 
storage  and  destruction,”  asks  PwC’s 
Lobel,  “do  you  have  that  data  classification  and  lifecy¬ 
cle  process,  and  do  people  know  what  it  is?”  Lobel  says  many  of  his 
clients  have  compliance  controls,  but  employees  either  don’t  know 
such  controls  exist  or  aren’t  clear  where  they  apply.  “User  education 
is  not  easy,  but  it  is  worth  the  effort,”  he  says. 

ChoicePoint’s  Bad  Choice 

The  Hole  |  Criminals  posing  as  small-business  owners  accessed 
the  information— names,  addresses  and  Social  Security  numbers— 
of  145,000  ChoicePoint  customers. 

The  Problem  |  Call  it  what  you  will— fraud,  “social  engineering,” 
the  Kevin  Mitnick  effect— this  was  one  really  glaring  example  of 
how  these  kinds  of  attacks  are  plaguing  companies.  Lobel  says 
commercial  enterprises  could  improve  when  it  comes  to  training 
users  about  social  engineering— hackers  targeting  well-meaning 
users  over  the  phone  or  Internet  to  obtain  private  information  such 
as  passwords.  “We’re  always  going  to  find  somebody  who  doesn’t 
know  what  they  shouldn’t  be  doing,”  he  says. 

The  Solution  |  CIOs  should  make  sure  that  both  users  and 
customers  are  adequately  trained  in  how  to  recognize  and  respond 
to  phishing  and  other  related  attacks— especially  before  they  go  out 


68 


OCTOBER  15,  2005  |  www.cio.com 


Citrix  NetScaler 

makes  any  application 

run  up  to 

15  times  faster 

for  anyone,  anywhere. 


Every  day,  leading  Global  2000  enterprises, 
including  the  five  largest  e-businesses  in 
the  world,  rely  on  Citrix' NetScaler"  solutions 
to  dramatically  accelerate  application 
performance.  All  without  adding  servers, 
bandwidth,  or  consultants.  Perhaps  that’s 
why  Citrix  NetScaler  application  delivery 
systems  are  rated  #1  in  customer  satisfac¬ 
tion  among  Layer  4-7  networking  vendors. 
See  what  Citrix  NetScaler  can  do  for  you 
at  www.citrix.com/netscaler 

ciTRIX* 


©  2005  Citrix  Systems,  Inc.  All  rights  reserved.  Citrix  and  NetScaler  are  trademarks  of  Citrix  Systems, 
Inc.,  and/or  one  or  more  of  its  subsidiaries,  and  may  be  registered  in  the  U.S.  and  in  other  countries. 


Security  Fixes 


and  hire  a  company  such  as  PwC  to  audit  their  user  base.  “[CIOs] 
should  spend  their  money  on  a  [training]  program  rather  than  on 
testing,”  Lobel  says.  ChoicePoint  claims  that  it  has  strengthened 
its  customer-credentialing  procedures  and  is  re-credentialing 
broad  segments  of  its  customer  base,  including  its  small-business 
customers. 

Loose  Laptops 

The  Hole  |  On  April  5,  MCI  said  that  an  MCI  financial  analyst’s 
laptop  had  been  stolen  from  his  car,  which  was  parked  in  his  home 
garage.  That  laptop  contained  the  names  and  Social  Security  num¬ 
bers  of  16,500  current  and  former  employees. 

The  Problem  |  In  many  recent  cases  involving  laptops,  the  com¬ 
puter’s  security  was  handled  by  a  Windows  log-on  password.  “It’s 
getting  easier  for  even  the  more  casual  criminal  to  find  out  how  to 
break  into  the  laptop,”  says  Forrester’s  Friedlander.  “There’s  more 
awareness  that  the  information  is  valuable.”  Plus,  the  data  in  many  of 
these  recent  incidents  wasn’t  encrypted.  (MCI  won’t  say  whether  the 
stolen  laptop  was  encrypted,  just  that  it  had  password  protection). 
According  to  Friedlander,  encryption  adoption  is  much  lower  than 
firewall  adoption  because  encryption  historically  has  had  perform¬ 
ance  issues  (it  slows  the  computer  down)  as  well  as  usability  issues 
(users  are  often  confused  about  how  to  encrypt  the  right  data).  In  a 
recent  Forrester  survey,  38  percent  of  respondents  said  they  have  no 
plans  to  deploy  encryption  tools.  Ouch. 

The  Solution  |  CIOs  need  to  do  some  classic  risk  management,  says 
Friedlander,  and  ask  themselves:  What  is  the  information  on  the  sys¬ 
tem  that  I  care  about  the  most?  Who’s  connected  to  a  network  where 
I  might  be  exposed?  And  then  they  should  create  or  revise  their  secu¬ 
rity  policies  based  on  that  assessment.  For  example,  if  a  laptop  has  cus¬ 
tomer  information  on  it  that  would  kill  the  company  if  it  got  into  a 
competitor’s  hands,  then  the  CIO  should  ensure  that  encryption  was 
turned  on.  Users  need  to  understand  “why  these  policies 
and  technologies  are  in  place  that  may  seem  incon¬ 
venient,  but  why  they  do  matter,”  says 
Friedlander.  “If  they  realize  the  implica¬ 
tions,  most  people  will  want  to  act.”  If 
the  information  on  another  laptop  is  less 
critical,  then  more  basic  security  meas¬ 
ures,  such  as  strong  passwords,  can  be 
used,  he  says. 

Tales  of  the  Tapes 

The  Hole  |  Let’s  not  forget  the  good 
ole  data  tape— in  particular,  CitiFinan- 
cial’s  now-infamous  UPS  shipment  of 
unencrypted  computer  tapes  that  were  lost  in 
transit  to  a  credit  bureau.  A  whopping  3.9  million  Citi- 
Financial  customers’  data  was  on  those  tapes,  including  their  names, 
Social  Security  numbers,  account  numbers  and  payment  histories. 
The  Problem  |  CitiFinancial  has  stated  it  “[has]  no  reason  to 
believe  that  this  information  has  been  used  inappropriately.”  But  on 


the  other  hand,  there’s  no  reason  to  believe  that  it  won’t  be. 

There  are  companies  that  specialize  in  handling  data  tapes,  Iron 
Mountain  for  one.  But  even  Iron  Mountain  is  not  impervious  to  secu¬ 
rity  snafus.  In  May,  Time  Warner  announced  that  Iron  Mountain 
had  lost  40  backup  tapes  that  had  the  names  and  Social  Security 
numbers  for  600,000  of  its  current  and  former  U.S.-based  employ¬ 
ees  and  for  some  of  their  dependents  and  beneficiaries.  Iron  Moun¬ 
tain  says  it  has  recently  suffered  three  other  “events  of  human  error” 
that  resulted  in  the  loss  of  customers’  backup  tapes— and  these  are  the 
guys  who  supposedly  are  all  about  security  and  nothing  else. 

The  Solution  |  In  July,  Citigroup  said  it  will  start  shipping  cus¬ 
tomer  information  via  direct,  encrypted  electronic  transmissions. 
Though  “you  can  squeeze  a  lot  more  data  into  a  truck  than  you  can 
over  the  wire,”  Couture  of  Gartner  Research  says,  “[sending  data 
electronically]  could  be  cost-effective  for  smaller  companies  with 
small  amounts  of  data.”  Citigroup’s  new  shipping  method  will  also 
take  much  of  the  people  part  out  of  the  equation.  “Any  time  you  have 
to  touch  that  tape  and  add  a  human  element  in  the  process,  there’s  the 
potential  [for]  incompetence,  malfeasance,  and  pure  and  simple  stu¬ 
pidity,”  Couture  says.  (For  more  on  solutions  to  identity  theft,  see 
“New  Locks,  New  Keys”  on  Page  88.) 

How  Much  for  a  BlackBerry? 

The  Hole  |  This  tale  has  been  told  so  often  that  it  is  teetering  on 
the  brink  of  urban  legend  status:  Back  in  2003,  a  former  Morgan 
Stanley  executive,  apparently  with  no  more  use  for  his  BlackBerry, 
sold  the  device  on  eBay  for  a  whopping  $15.50. 

The  Problem  |  The  surprised  buyer  soon  found  out  that  the 
BlackBerry  still  contained  hundreds  of  confidential  Morgan  Stan¬ 
ley  e-mails,  according  to  a  Forrester  report. 

The  Solution  |  First,  users  with  handhelds,  laptops  and  other 
devices  need  to  be  made  to  understand  what’s  really  at  stake.  “It’s  not 
the  laptops  that  are  the  issue;  it’s  what’s  on  them,”  says  For¬ 
rester’s  Friedlander.  Second,  CIOs  need  to  institute  a 
repeatable  and  enforceable  policy  for  device  and 
access  management— even  for  high-powered 
executives.  When  someone  leaves  the  com¬ 
pany,  he  should  have  to  turn  in  all  of  his 
corporate-issued  devices,  and  IS  should 
lock  him  out  of  all  applications  to  which 
he  had  access.  “If  you  have  1,000  users, 
there  should  be  1,000  accounts,” 
says  the  CISO  of  a  large  Midwestern 
financial  services  company.  “So 
why  are  there  1,400?  Because  peo¬ 
ple  who  have  left  still  have  authority' 
to  log  in.”  According  to  the  Forrester 
report,  Morgan  Stanley  did  have  a 
policy  that  stated  that  mobile  devices 
should  be  returned  to  IS  for  “data 
cleansing,”  but  this  exec  must  have 
slipped  through  the  front  door. 


70 


OCTOBER  15,  2005  |  www.cio.com 


NEED  A  GOOD  REASON  TO 


USE  A  3M  PRIVACY  FILTER? 


THE  PERSON  NEXT  TO  YOU 


IS  READING  THIS  RIGHT  NOW 


a.-:  „  J 

-Vi-:.,.'  iv  Svi  m  "■  ■' 

You  get  your  work  done.  The  wandering  eyes  beside  you  see  only  a  dark  screen.  Reassuring  3M'“  Privacy  Filters.  Made  of  slim,  protective,  rigid-yet-flexible  polymer. 
Easy  to  attach  and  remove.  Available  for  laptops  in  many  sizes.  Uncanny  3M  microlouver  technology  blocks  out  side  views  while  you  see  your  screen  clearly  as  ever. 
You  have  to  not  see  it  to  believe  it.  Available  only  at  online  retailers.  1 -888-PRIVACY  3MPrivacyFilter.com 


3M 

Privacy  Filters 


©  3M  2005.  3M,  Vikuiti  and  the  Vikuiti  'Eye'  symbol  are  trademarks  of  3M. 


Now  you  see  it.  Now  they  don’t. 


Security  Fixes 


Another  huge  problem  is  those  longtime  employees  who  move 
around  the  company  and  retain  access  to  data  associated  with 
their  previous  jobs  even  though  it’s  unrelated  to  their  new 
position,  says  Jeffrey  Margolies,  lead  for  Accen¬ 
ture’s  security  services  and  identity  manage¬ 
ment  practice.  “They  accumulate  access  over 
time,  and  they  are  an  audit  nightmare.” 

A  solution  is  to  set  up  one  place  (whether 
it’s  a  website  or  paper  form)  where  employees 
can  request  access  to  applications,  Margolies  says. 

CIOs  need  a  policy  that  states  who  has  access  to 
what  systems  and  why,  with  IT,  HR  and 
security  getting  to  make  the  decisions.  “Over 
the  last  10  years,  we  have  built  hundreds  of  appli¬ 
cations,  and  every  single  application  has  its  own  way  of  [deter¬ 
mining]  access  and  managing  that  access,”  he  says.  “But  just  [giving 
people]  one  place  to  go  and  [saying]  just  fill  out  this  form— even  if  it’s 
paper— the  level  of  confusion  is  reduced.” 

IM  Not  OK 

The  Hole  |  One  of  your  top  sales  guys  is  a  huge  believer  in  instant 
messaging.  In  fact,  he’s  been  using  a  consumer-grade  IM  client 
(probably  AOL  Instant  Messenger)  to  communicate  with  his  cus¬ 
tomers  for  years.  And  this  hypothetical  salesman’s  IM  name  fits  his 
personality  perfectly:  Big  Bad  Texan. 

The  Problem  |  There  are  three,  says  Osterman  of  Osterman 
Research.  First,  security:  A  consumer-grade  IM  client  used  on  a  cor¬ 
porate  system  will  bypass  all  antivirus  and  spam  software.  Second, 
compliance:  Consumer-grade  IM  clients  don’t  have  auditing  and  log¬ 
ging  capabilities  for  regulatory  compliance.  And  third,  name-space 
control:  If  Big  Bad  Texan  takes  a  job  at  your  competitor,  rest  assured 
he’s  taking  his  IM  name— and  your  key  customers— with  him. 
“There’s  no  clue  to  the  outside  world  that  he  left,”  Osterman  says. 
The  Solution  |  The  first  step  is  for  CIOs  to  admit  to  themselves 
that  consumer-grade  IM  could  be  running  rampant  in  their  organ¬ 
izations.  Osterman  estimates  that  30  percent  of  all  e-mail  users  are 
instant  messaging  these  days.  Like  e-mail,  CIOs  need  to  develop  an 
acceptable-use  policy  and  make  sure  everyone  understands  it.  Then 
CIOs  have  two  options:  Allow  consumer-grade  IM  to  remain  in 
place  and  deploy  a  system  that  will  provide  any  number  of  security 
functions,  such  as  blocking  file  transfers  or  mapping  IM  screen 
names  to  corporate  identities,  says  Osterman.  Alternatively,  CIOs 
can  replace  consumer-grade  IM  tools  with  an  enterprise-grade  sys¬ 
tem.  “This  can  be  a  more  expensive  and  disruptive  option,  but  it’s 
one  that  many  organizations  are  choosing,”  Osterman  says. 

Unwired  and  Unsafe  Workers 

The  Hole  |  The  CISO  of  the  Midwestern  financial  services  com¬ 
pany  shares  this  nightmare:  An  executive  decides  she  wants  to  put 
a  wireless  access  point  in  her  house  so  she  can  work  at  home  from 
anywhere  in  her  house.  Her  son  gets  her  up  and  running.  She  wire¬ 


lessly  logs  into  the  network,  and 
she  uses  the  default  password  for 
the  connection  that  came  straight 
out  of  the  box. 

The  Problem  |  “Go  to  every 
single  hacker  site,  and  you  can 
find  every  default  password  and 
user  ID  [for  wireless  routers],” 
says  the  CISO.  “Home  PCs  are 
one  of  the  greatest  vulnerabilities.”  And 
once  this  executive  authenticates,  oth¬ 
ers  can  see  how  she  did  it,  “then  peo¬ 
ple  are  in,”  the  CISO  says. 

The  Solution  |  Back  to  the  basics  with 
this  one.  CIOs  need  to  make  sure  all  employ¬ 
ees  who  work  from  home  know  that  they  have  to 
change  all  the  default  settings,  and  they  can’t  forget  about  firewall, 
VPN,  antivirus  patching  and  authentication  tools.  That  all  takes 
an  omnipresent  security  education  program,  but  to  this  CISO,  it’s 
the  cost  of  doing  business  today.  “The  struggle  with  security  edu¬ 
cation  is  getting  it  so  it  becomes  like  breathing,”  the  CISO  says. 
“Users  have  to  become  smarter  about  how  they  do  things.” 

40  Million  “Served” 

The  Hole  |  In  June,  MasterCard  announced  that  CardSystems 
Solutions,  a  third-party  processor  of  credit  card  transactions  for 
MasterCard,  Visa,  American  Express  and  Discover,  allowed  an 
unauthorized  individual  to  infiltrate  its  network  and  access  card¬ 
holder  data. 

The  Problem  |  Up  to  40  million  cardholders’  information  could 
have  been  exposed.  It  turns  out  CardSystems  had  violated  its  agree¬ 
ment  with  the  credit  card  companies:  It  was  not  allowed  to  store  card¬ 
holders’  account  information  on  its  systems,  and  yet  it  did  just  that. 
The  Solution  |  If  a  company  has  an  agreement  not  to  store 
another  company’s  data  on  its  systems,  it  shouldn’t.  And  if  for  some 
strange  reason  it  becomes  necessary,  the  company  had  better  ensure 
that  it  has  the  necessary  controls.  “All  of  those  cases  of  breaches 
speak  to  the  need  for  a  good,  old-fashioned  defense,  in-depth,  with 
multiple  layers  of  control,”  says  PwC’s  Lobel.  For  example,  he  says, 
instead  of  just  having  a  firewall,  companies  should  have  multiple 
layers  of  controls  on  their  network.  Or  rather  than  just  using  SSL, 
companies  need  to  use  authentication  too.  “You  get  into  the  security 
versus  ease-of-use  trade-off  and  cost,”  he  says.  “That’s  the  decision 
that  businesses  have  to  make  with  their  eyes  wide  open.” 

In  the  end,  how  a  company  views  security  and  protects  its  cus¬ 
tomers’  and  employees’  data  will  have  a  direct  correlation  to  its 
longevity.  In  the  case  of  CardSystems,  in  July  both  Visa  and  Amer¬ 
ican  Express  said  they  no  longer  wanted  to  do  business  with  the 
company.  Ed 


Staff  Writer  Thomas  Wailgum  can  be  reached  at  twailgum@cio.com.  Editorial 
Intern  C.G.  Lynch  contributed  to  this  report. 


72 


OCTOBER  15,  2005  |  www.cio.com 


View  from  the  Top 


Herbert  Allison,  CEO  of  TIAA-CREF,  boosted  the  CTO 
position  and  restructured  IT  to  help  the  retirement  services 
company  stem  rising  costs  and  maintain  its  industry  standing 


Since  its  founding  in  1918,  New  York  City-based 
nonprofit  financial  services  company  TIAA-CREF 
has  expanded  its  business  beyond  pensions  to  include 
variable  annuities,  insurance,  financial  advice,  trust 
services  and  college  tuition  financing.  The  company, 
which  has  traditionally  served  artists,  educators, 
researchers,  health-care  providers  and  the  institutions 
employing  them,  has  had  its  ups  and  downs  over  the 
years,  most  recently  in  the  early  part  of  the  new  mil¬ 
lennium.  By  2002,  TIAA-CREF  had  expanded  so 
much  that  high  costs  were  beginning  to  impair  its  abil¬ 


ity  to  maintain  its  position  as  the  low-cost  provider  in 
the  retirement  services  business.  More  agile,  innova¬ 
tive  and  customer-focused  companies  threatened  to 
lure  away  TIAA-CREF’s  clients. 

That  year,  Herbert  Allison  was  elected  TIAA- 
CREF’s  chairman,  president  and  CEO,  and  was 
charged  with  modernizing  and  restructuring  the  com¬ 
pany.  One  of  the  first  areas  the  soft-spoken  Wall  Street 
heavyweight  targeted  was  IT.  He  called  for  raising  the 
profile  of  the  company’s  CTO  (in  investment  compa¬ 
nies,  the  “CIO”  acronym  Continued  on  Page  78 


74  OCTOBER  15,  2005  |  www.cio.com 


MlCROSOFT.COM/SEC 

Microsoft 


URITY/IT 


Find  the  tools  and  guidance  you  need  for  a  well-guarded  network 
at  microsoft.com/security/IT 


Microsoft%WindowsRXP  Service  Pack  2:  Download  it  for 
free  and  get  stronger  system  control  and  proactive  protection 
against  security  threats. 

Free  Tools  &  Updates:  Download  free  software  like  Microsoft 
Baseline  Security  Analyzer  to  verify  that  your  systems  are 
configured  to  maximize  security.  Manage  software  updates 
easily  with  Windows  Server  Update  Services. 


Microsoft  Risk  Assessment  Tool:  Complete  this  free,  Web- 
based  self-assessment  to  help  you  evaluate  your  organization's 
security  practices  and  identify  areas  for  improvement. 

Internet  Security  and  Acceleration  Server  2004:  Download 
the  free  120-day  trial  version  to  evaluate  how  the  advanced 
application-layer  firewall,  VPN,  and  Web  cache  solution  can 
improve  network  security  and  performance. 


Microsoft 


G  2005  Microsoft  Corporation.  All  rights  reserved.  Microsoft,  Windows,  and  Windows  Server  are  either 
registered  trademarks,  or  trademarks  of  Microsoft  Corporation  in  the  United  States  and/or  other  countries. 


C\0\fe 


„-.rectot’  lt-u\e  W'  ,, 

,\o«e 


» pe^-  -  ^e  \tnP 

^’^VSS' 


YfltoV 


r  lAeaS.a,^005,-v,oe^% 


»«<>•*' 


vds 


\e<ds 


.  «»<; t—"  „„,, 

.  .*&*** 


\\\esC 


^otrP° 


,v^e 


»»**£&** ® 


to 


pVcs- 


.  A«e^ele°Trd?teSetnie\\'8enCe,  lStef 


^SC'19® 


2^ 


Q\0^a 


aVv/-^ 


«**$2>* 


^\\e 


to 


\e»'“ 


pte 

1 


03 


aw^'s 


i 

i  t>* 


Sponsored  by 


BlackBerry. 


4$equant 


INFORMATICA 


intel 


i  R  i  s  e 

VISUALIZE.  INNOVATE.  DELIVER!” 


MICRO 

FOCUS 


Presented  by 


The  Resource  for 
Information  Executives 


View  from  the  Top 


When  Herbert  Allison 

became  TIAA-CREF’s  CEO 
in  2002,  he  called  for  raising 
the  profile  of  the  company’s 
CTO,  centralizing  IT  and 
developing  a  new  technology 
platform  that  would  allow 
TIAA-CREF  to  realize  its 
strategic  goals. 


Continued  from  Page  74  is  reserved  for  the 

chief  investment  officer),  centralizing  IT  and 
developing  a  new  technology  platform  that 
would  allow  TIAA-CREF  to  realize  its  strate¬ 
gic  goal:  to  become  the  go-to  retirement  serv¬ 
ices  provider  for  moderate  to  affluent 
individuals  by  keeping  its  prices  low  and  by 
tailoring  products,  services  and  advice  to 
individual  clients. 

Allison  takes  pride  in  TIAA-CREF’s  IT 
department  and  its  accomplishments,  boast¬ 
ing  about  its  ability  to  develop  a  new  technol¬ 


ogy  platform  in  two  years  when  outside 
experts  predicted  it  would  take  three  or  four. 
“IT  is  central  to  our  strategy  and  to  virtually 
all  of  our  initiatives,”  he  says.  CIO  talked  to 
Allison  about  his  views  on  IT,  the  role  that 
technology  is  playing  in  the  company’s  turn¬ 
around,  and  how  IT’s  reputation  has  changed 
for  the  better. 

CIO:  You  worked  for  Merrill  Lynch  for  28 
years  before  joining  TIAA-CREF.  How  did 
your  tenure  at  Merrill  shape  your  views 


TIAA-CREF 

Headquarters: 

New  York  City 

Primary  business: 

Retirement  funds 

Assets  under  management: 

$350  billion 

Clients: 

3.2  million 

Employees: 

5,500 


78 


OCTOBER  15,  2005  |  www.cio.com 


PHOTO  BY  JEFF  WEINER 


Small  Workgroup  Office  # 


Road- Warn  or  Office  # 


/\j 


""  Bran ^  ^  M 


Take  cost  out  of  your  business  and  increase  productivity 
No  matter  where  you  do  business. 


Comprehensive  selection 
Increased  productivity 
>■  Lower  acquisition  costs 


Brother  Printer,  Fax  and  Multi-Function  Center®  models  — 
designed  to  increase  productivity  while  decreasing  overhead. 


>*  Reduced  consumable  costs 
>■  24/7/365  support  and  service 
>■  Free  evaluation  program 


Mobile  Printing  Solutions  Labeling  Solutions 


Considering  that  over  94%  of  Fortune  1000  company  employees  work 
outside  corporate  headquarters*,  equipping  them  with  a  cost-effective 
solution  is,  to  say  the  least,  a  major  challenge. 

That's  why  Brother's  Commercial  Division  is  committed  to  providing 
superior  and  reliable  imaging  solutions  that  increase  productivity  while 
reducing  costs.  This  enables  businesses  like  yours  to  effectively  address  critical 
organizational  goals  and  challenges. 

But  it  is  our  product  reliability,  coupled  with  a  responsive  nationwide 
support  and  service  network,  that  has  companies  like  yours  putting  Brother  at 
the  top  of  their  requisition  lists. 

Brother's  Commercial  Division  welcomes  the  opportunity  to  put  our 
resources  to  work  for  you.  Contact  us  today  so  we  can  show  you  how  we  can 
positively  impact  your  bottom  line  while  enhancing  your  performance. 


Desktop  Laser  Solutions  Color  Laser  Solutions 


For  more  information,  call  1-866-455-7713. 


Network  Printer  Solutions  Fax  Solutions 


^Purchase  Influence  in  Larger  American  Businesses  (Erdos  &  Morgan,  2001). 


©  2005  Brother  International  Corporation,  Bridgewater,  NJ  •  Brother  Industries  Ltd.,  Nagoya,  Japan 
For  more  information  visit  our  Web  site  at  www.brother.com 


View  from  the  Top 


about  technology? 

Herbert  Allison:  At  Merrill,  I  saw  situations 
with  traders  who  have  half  a  dozen  TV 
screens  in  their  work  areas  trying  to  toggle 
between  different  technologies  to  operate  in 
this  very  fast-paced  world  of  securities  trad¬ 
ing.  I  thought  there  was  an  opportunity  to 
use  technology  to  make  their  lives  easier,  to 
plug  into  more  sources  of  data  in  real-time, 
which  is  vital  to  their  competitiveness. 

One  of  the  first  things  I  did  when  I  ran  all 
of  Merrill’s  trading  and  investment  banking 


over  525  business  software  applications 
within  the  company,  and  many  of  these  are 
not  even  compatible.  They  were  written  in  a 
variety  of  languages  going  back  as  far  as 
Cobol  and  Fortran,  and  many  of  them  were 
designed  for  a  single  product  or  process. 
Because  of  this  fragmented  structure,  our  IT 
costs  were  too  high. 

Also,  there  wasn’t  one  repository  of  client 
data.  So  our  consultants  in  our  call  centers 
had  to  toggle  between  different  systems  to 
pull  up  comprehensive  information  about 


that  we  needed  to  focus  on  strategic  priorities. 

So  how  did  you  restructure  IT,  and  how  did 
the  CTO  you  hired  in  2003,  Sue  Kozik,  figure 
in  the  restructuring? 

For  the  technology  area  to  be  most  effective, 
I  felt  we  needed  to  bring  together  the  dis¬ 
parate  groups  of  technology  experts  around 
the  company  and  elevate  the  CTO  position  to 
top  management.  We  also  needed  to  develop 
policies  we  could  apply  across  the  company 
to  make  sure  we  could  marshall  technology 


Before  I  actually  started  as  CEO  and  in  the  first  weeks  I  was  working  here, 

I  interviewed  many  individuals  around  the  company— even  the  head  of  IT  at  the 
time— who  said  that  they  thought  the  IT  professionals  were  not  delivering  projects 
on  time  and  in  some  cases  were  not  viewed  as  being  sufficiently  responsive. 

-HERBERT  ALLISON,  CEO,  TIAA-CREF 


was  to  appoint  the  first  CTO  of  that  group  to 
catalog  all  the  systems  we  were  using, 
rationalize  those  systems,  reduce  our  costs 
and  improve  the  functionality  for  our 
traders  and  investment  bankers.  Technol¬ 
ogy,  as  was  typical  in  the  industry,  was 
balkanized  among  many  different  areas. 

You  found  a  similar  balkanization  of  IT  at 
TIAA-CREF.  Tell  me  more  about  the  state  of 
IT  at  TIAA-CREF  when  you  first  joined  the 
company. 

We  had  a  very  large  IT  staff  with  a  lot  of  very 
capable  and  dedicated  people.  As  much  as 
30  percent  of  our  people  were  devoted  to  IT, 
but  they  were  not  being  allocated  strategi¬ 
cally.  They  were  decentralized  around  the 
company  and  responded  to  requests  from 
the  business  and  support  areas  in  which 
they  were  located  to  develop  the  applications 
and  IT  capabilities  those  units  needed.  They 
were  being  pulled  in  different  directions  on 
many,  many  projects,  some  strategically 
vital  and  others  less  so,  because  the  com¬ 
pany  was  functioning  in  silos  without  any 
real  centralized  IT  organization. 

That  [decentralization]  led  to  a  prolifera¬ 
tion  of  systems  and  IT  platforms.  We  have 


clients.  And  because  we  didn’t  have  inte¬ 
grated  systems  that  would  let  us  produce 
one  consolidated  quarterly  statement  for 
participants  that  showed  them  [the  per¬ 
formance  of  all  their  funds],  a  participant 
could  receive  two,  three  or  even  four  state¬ 
ments  from  us  every  quarter. 

How  did  these  opportunities  to  streamline  IT 
become  apparent  to  you? 

In  a  variety  of  ways.  Before  I  actually  started 
[as  CEO]  and  in  the  first  weeks  I  was  working 
here,  I  interviewed  many  individuals  around 
the  company— even  the  head  of  IT  at  the 
time— who  said  that  they  thought  the  [IT] 
professionals  were  not  delivering  projects  on 
time  and  in  some  cases  were  not  viewed  as 
being  sufficiently  responsive.  In  fact,  the  issue 
wasn’t  their  professionalism  or  work  ethic.  It 
was  that  their  work  was  not  being  prioritized. 

Also,  when  I  started  here,  we  conducted  a 
project  called  Decisions  2003.  We  formed  six 
task  forces  to  examine  the  entire  business. 
One  of  the  task  forces  dealt  with  technology. 
We  had  people  from  all  over  the  company  on 
that  task  force.  They  came  back  with  recom¬ 
mendations  similar  to  what  I  heard  in  my 
interviews,  that  we  needed  to  integrate  IT  and 


experts  and  coordinate  their  activity  most 
effectively.  I  wanted  technology  to  be  well- 
integrated  and  easy  to  use. 

Sue  was  given  full  authority  and  account¬ 
ability  for  leading  the  transformation  of  IT. 
She  worked  closely  with  her  colleagues  in 
executive  management  to  set  goals  and  pri¬ 
orities  and  to  coordinate  her  division’s  activ¬ 
ities  with  the  businesses  and  support  groups. 

When  you  hired  Sue,  what  were  you  looking 
for  in  a  CTO? 

Someone  who  appreciates  the  special  mis¬ 
sion  of  TIAA-CREF— providing  excellent, 
low-cost  financial  services  to  those  who 
serve  others;  someone  who  has  high 
integrity  and  deep  professional  experience 
and  will  work  well  with  the  business  and 
support  groups;  and  someone  who  can 
rationalize  our  many  different  IT  activities, 
prioritize  projects  and  speed  delivery  of  crit¬ 
ical  functionality  while  reducing  costs. 

The  retirement  services  industry  is  becom¬ 
ing  more  focused  on  individual  investors. 
Looking  ahead,  what  does  the  role  of  IT  need 
to  be  to  keep  TIAA-CREF  competitive? 

We  decided  that  we’d  have  to  offer  products 


80 


OCTOBER  15,  2005  |  www.cio.com 


AS  SOON  AS  CARS  RUN  ON  A  TANK  OF  GOOSE  DOWN, 
WE’LL  MAKE  0  IE  KIND  OF  SOFTWARE  SOLUTION. 


Your  business  is  unique.  Your  goals  are  defined.  But  the  issues  you  deal  with  every  day  are  complex.  Which  is  why  SAP 
makes  modular  software  solutions  for  the  business  you’re  in.  Whether  you're  a  large  company  or  a  not-so-large  company. 
Whether  you’re  into  fossil  fuel  or  feathers.  We  have  an  SAP®  solution  for  you  —  and  it’s  grounded  in  our  years  of  working 
with  the  best-run  businesses  in  your  industry.  Because  we  know'  business  fundamentals.  And  we  know  what  makes  your 
business  fundamentally  different.  And  so  does  our  software.  Visit  sap.com/unique  or  call  800  880  1727  to  see  how 
we  can  help  your  business. 


THE  BEST-RUN  BUSINESSES  RUN  SAP 


View  from  the  Top 


and  services  from  [other  mutual  fund 
providers]  as  well  as  broaden  our  own  prod¬ 
uct  line.  We’d  have  to  offer  personalized 
advice  and  brokerage  services  as  well  as  a 
much  more  robust  Web  experience  to  make 
us  more  accessible  to  our  clients.  To  sup¬ 
port  those  initiatives,  we  had  to  convert  to 
an  entirely  new  [technology]  platform  with 
far  more  functionality  than  our  old  plat¬ 
form,  which  literally  could  not  accommo¬ 
date  another  mutual  fund  product  being 
added  to  it.  The  old  platform  was  very  rigid 
and  incompatible  with  our  strategic  needs. 
We  call  this  new  product  and  service  plat¬ 
form  Open  Plan  Solutions.  It  enables  us  to 
carry  out  our  strategy  of  offering  advice 
and  a  broad  range  of  products  and  services 
tailored  to  individual  participants.  It  also 
enables  us  to  provide  much  better  and  more 
convenient  record-keeping  services  to  our 
institutions.  It  houses  all  these  different 
pension  products,  services  and  customer 


of  Richmond  to  that  platform,  and  we  just 
rolled  out  a  new  release  of  this  technology 
that  will  enable  us  to  begin  mass-converting 
15,000  institutions  in  less  than  two  years. 

Earlier,  you  alluded  to  the  importance  of  pri¬ 
oritizing  IT  projects.  How  does  TIAA-CREF 
decide  which  projects  to  put  on  the  docket? 

Coming  out  of  Decisions  2003,  we  formed 
a  committee  called  the  New  Project  Invest¬ 
ment  Management  Committee  or,  as  we  say 
it,  “nip-um.”  NPIM  is  devoted  primarily  to 
prioritizing  IT  projects,  developing  corpo¬ 
rate  technology  policy,  and  ensuring  that 
technology  initiatives  are  coordinated 
around  the  company  and  take  advantage  of 
cost  savings. 

NPIM  is  given  an  overall  budget  within 
which  to  work.  The  committee  conducts  a 
very  rigorous  and  often  contentious  process 
of  reconciling  different  priorities  around  the 
company  into  a  coherent  rank-ordered  set  of 


agement  do,  in  order  to  intelligently  priori¬ 
tize  IT  resources.  Also,  NPIM  is  a  way  for 
those  people,  who  have  a  lot  of  potential  for 
growth  within  the  company,  to  get  to  know 
each  others’  priorities  and  get  to  know  more 
about  how  the  company  operates. 

The  NPIM  committee  drives  a  lot  of  the 
budgeting  in  this  company,  not  just  in  IT.  It’s 
a  powerful  committee,  and  its  recommenda¬ 
tions  are  adhered  to  almost  uniformly.  Last 
year,  I  think  [the  executive  team]  made 
almost  no  changes  to  the  recommendations 
that  came  from  the  NPIM  committee. 

During  the  restructuring  you  led  in  2003,  the 
IT  staff  was  cut  pretty  significantly.  Why  did 
you  decide  to  cut  IT  staff  given  your  views  of 
technology  as  a  key  enabler  of  business? 

We  had  to  reduce  our  costs.  We’ve  had  a 
project  under  way  for  the  last  three  years  to 
cut  $300  million  or  20  percent  of  the  cost 
base  that  existed  at  the  beginning  of  2003 


For  the  technology  area  to  be  most  effective,  I  felt  we  needed  to  bring  together 
the  disparate  groups  of  technology  experts  around  the  company  and  elevate 
the  CTO  position  to  top  management.” 

-HERBERT  ALLISON,  CEO,  TIAA-CREF 


records,  and  is  the  basis  for  [disseminat¬ 
ing]  pension-related  client  information  to 
our  consultants  in  our  contact  centers,  in 
our  field  offices,  and  over  the  Web. 

Open  Plan  Solutions  is  a  massive  under¬ 
taking  involving  about  10  percent  of  our  total 
employees.  We  were  told  by  outside  experts 
it  would  probably  take  us  three  to  four  years 
to  develop,  and  we  did  it  in  less  than  two. 
We  have  already  converted  our  own  com¬ 
pany,  Purdue  University  and  the  University 


C-Level  Perspectives 


For  more  thought-provoking  ideas  from  lead¬ 
ing  C-level  executives  on  how  IT  is  helping  or 
hindering  their  businesses,  go  to  www.cio.com 
/specialreports  for  other  installments  of  our 

VIEW  FROM  THE  TOP  series. 

cio.com 


initiatives  that  are  costed  out.  For  each  one  of 
those  initiatives,  there  is  a  business  case  with 
expected  rates  of  return  to  the  organization 
and  ultimately  to  our  participants  who  own 
us.  Every  area  of  the  company— IT,  finance, 
all  of  our  businesses,  even  human  resources 
and  legal— contributes  to  this  process  and  is 
represented  on  the  NPIM  committee. 

Are  you  a  member  of  NPIM? 

I’m  not,  but  the  executive  management  com¬ 
mittee  meets  with  the  NPIM  committee  sev¬ 
eral  times  a  year.  The  reason  why  [I’m  not  a 
member]  is  [because]  I  feel,  and  our  man¬ 
agement  team  feels,  that  we  need  to  have 
people  who  are  closer  to  clients  and  closer  to 
the  daily  work  and  who  understand  these 
[individual  and  institutional  investors’] 
needs  in  more  depth  than  we  in  top  man- 


so  we  could  fund  new  initiatives.  There 
were  a  lot  of  IT  projects  that  were  lower- 
priority  that  we  didn’t  need  to  do,  so  we 
made  cutbacks  there. 

How  has  the  perception  of  IT  inside  the 
company  changed  since  the  restructuring? 

I  think  respect  for  the  IT  department  has 
risen  even  higher.  Since  we  focused  our  IT 
people  [on  the  most-strategic  projects],  they 
have  done  a  magnificent  job  of  delivering  on 
time— in  a  first-class  way— these  priority 
projects,  like  Open  Plan  Solutions.  Our  IT 
people  are  much  more  productive.  They  are 
working  on  what’s  most  needed  and  doing  it 
in  a  high-quality  way.  ram 


Senior  Writer  Meridith  Levinson  can  be  reached  at 
mlevinson@cio.com. 


82 


OCTOBER  15,  2005  |  www.cio.com 


GREAT  PARTNERSHIPS  BEGIN  WITH  SUN 

MORE  THAN  1,600  APPLICATIONS  FOR  SOLARIS  ON  X86/X64  SYSTEMS 


ibea 


Think  liquid. 


IBM, 


Information  Management  Software 


IBM, 


Rational, 


software 


IBM, 


Tivoli 


software 


“We  trust  that  the  superior  performance  and  scalability 
of  Solaris  10  will  pave  the  way  for  more  business, 
and  our  technology  will  become  a  very  powerful 
and  profitable  combination.  Now  we  can  scale  our 
solution  according  to  our  customers’  needs  and  move 
vertically  and  horizontally  to  be  able  to  support 
millions  of  corporate  and  retail  banking  clients  with 
absolute  ease,  high  flexibility  and  strong  reliability.” 
-DS3 


IBM, 


WebSphere 


software 


I88TIBCO’ 

The  Power  of  Now® 


Rogue  Wave 

SOFTWARE 


A  QUOVADX  DIVISION 

SUNGARD* 


*  Symantec,. 


“Oracle  and  Sun  deliver  technical  innovation  and 
value  through  our  joint  engineering  efforts  to 
help  reduce  the  cost  and  complexity  associated 
with  data  management.  Oracle  Database  log,  in 
conjunction  with  the  superior  functionality  of  the 
Solaris  10  OS  and  flexibility  of  Sun  servers  based 
on  the  AMD  Opteron  processor,  offers  proven 
performance,  reliability,  and  security  to  thousands 
of  customers  around  the  world.”  —Oracle 


EMC2 

where  information  lives* 


AMD 


“Speed,  transparency,  support,  virtual  memory,  and 
the  Java  Desktop  System  software  make  Solaris  10 
our  operating  system  of  choice.”  —  DataXpress 


©  2005  SUN  MICROSYSTEMS,  INC.  ALL  RIGHTS  RESERVED.  SUN.  SUN  MICROSYSTEMS,  THE  SUN  LOGO,  SOLARIS  AND  THE  SOLARIS  LOGO  ARE  TRADEMARKS  OR  REGISTERED  TRADEMARKS  OF  SUN  MICROSYb 
INC.  IN  THE  UNITED  STATES  AND  OTHER  COUNTRIES. 


What  if  your  assets  had  appreciating  value  instead  of  depreciating  value? 

With  Maximo®  Enterprise  Suite,  you  not  only  see  the  performance  of  all  of  your  assets  across  your  enterprise,  but  also  the  untapped 
potential  within  them.  So  you  can  make  every  stage  of  every  asset  life  cycle  more  valuable.  And  gain  the  information  and  the  control 
you  need  to  more  closely  align  your  transportation  assets  with  your  business  strategies.  To  learn  more  about  our  Strategic  Asset 
and  Service  Management  solutions,  call  800-326-5765  or  download  our  white  paper,  Maximizing  the  Return  From  Asset  and 
Service  Management  Systems,  at  www.maximoenterprise.com/cio 

mro  software 


©2005.  MRO  Software,  Inc.  All  rights  reserved.  Maximo  is  a  registered  trademark  and  MRO  Software  is  a  trademark  of  MRO  Software,  Inc. 


make  it  «//  count 


“My  boss  told  me  I  was  a  bright 
young  guy  with  a  great  future,  but 
I  had  to  learn  to  be  a  better  communi¬ 
cator,”  says  De  Vault,  who  is  now  man¬ 
aging  principal  of  the  mid-Atlantic 
region  for  Internosis  (an  IT  consul¬ 
tancy),  with  responsibilities  that 
include  running  IT.  DeVault’s  boss, 
Internosis  CEO  Robert  Stalick,  told 
him  that  his  memos  were  filled  with 


emo 


The  five  questions  to  answer  when 
writing  a  business  memo 


BY  MICHAEL  FITZGERALD 


“How  to  Write  a  Memorable  Memo”  is  fourth 
in  an  occasional  series  titled  Advanced  Com¬ 
munications.  These  articles  feature  practical 
advice  designed  to  help  you  improve  the 
communication  skills  you  need  to  succeed 
as  managers  and  leaders. 


www.cio.com  I  OCTOBER  15,  2005 


Advanced  Communications 


technical  jargon  that  meant  nothing  to  the 
nontechnology  executives  who  read  them. 
Stalick  added  that  80  percent  of  what  makes 
a  memo  work  is  its  attention  to  the  needs  of 
its  readers. 

Mastering  the  seemingly  mundane  art  of 
writing  memorandums  might  not  seem  like 
a  career  advancer,  but  in  fact,  memos  remain 
the  key  way  of  communicating  within  com¬ 
panies,  even  in  these  days  of  videoconfer¬ 
encing  and  webcasts.  While  memos  are  often 
sent  electronically  now,  they’re  still  the  way 
companies  communicate  strategies,  direc¬ 
tives,  meeting  results  and  employee  per¬ 
formance.  Memos  are  particularly  important 
in  large  companies  or  departments  with  peo¬ 
ple  at  multiple  locations. 

DeVault’s  boss  was  right  to  emphasize  the 
reader,  say  business  writing  consultants. 
While  finer  points  such  as  writing  in  the 
active  voice  and  using  outlining  to  help 
organize  thoughts  are  useful,  “what’s  really 
important  for  the  CIO  or  anyone  else  is  to  tai¬ 
lor  their  communications  to  their  reader,” 
says  Barry  Eckhouse,  professor  in  the  School 
of  Economics  and  Business  Administration 
at  St.  Mary’s  College  of  California  and  author 


of  several  books  on  business  writing  and 
communications.  Usually,  he  says,  memos 
are  “oriented  toward  the  sender  and  the 
sender’s  interest.” 

That’s  a  huge  mistake  for  any  executive  to 
make,  but  in  particular  CIOs,  because  of  the 
historical  rift  between  the  languages  of  IT 
and  business.  Poor  memos  can  cause  busi¬ 
ness-side  executives  to  turn  down  project 
and  budget  requests  if  they  aren’t  framed  in 
a  way  that  shows  the  value  for  the  business, 
or  they  assume  too  much  knowledge  on  the 
part  of  readers. 

“Too  often,  CIOs  have  as  the  subject  of  a 
memo  [something  like]  ‘New  Laptops,”’ 
says  Eric  Brown,  founder  of  Communica¬ 
tion  Associates.  The  memo  will  go  on  to  say 
that  laptops  are  desperately  needed  and  will 
cite  the  cost— but  won’t  explain  why  they  are 
needed.  So  its  message  will  be  ignored. 
“CIOs  don’t  get  the  laptops,  and  they  won¬ 
der  why,”  he  says. 

Brown  says  it’s  because  many  IT  people 
fail  to  consider  the  purpose  of  the  memo, 
which  should  be  to  offer  a  solution  to  a  busi¬ 
ness  problem.  In  this  case,  the  point  is  not 
that  the  company  needs  new  laptops;  rather, 


it  might  be  that  the  company  needs  to  address 
why  it’s  been  losing  sales.  If,  for  example, 
the  existing  laptops  no  longer  connect  well 
with  corporate  systems— and  therefore  sales¬ 
people  can’t  give  the  same  information  to 
potential  customers  as  their  rivals  can— then 
a  technology  upgrade  could  have  a  direct 
impact  on  the  company’s  profitability.  (See 
“Before,”  on  this  page  and  “After,”  on  Page  87, 
to  see  how  Brown  helped  one  CIO  success¬ 
fully  rewrite  just  such  a  memo. 

Brown  notes  the  stereotype  that  technolo¬ 
gists  often  enter  the  IT  field  because  they 
don’t  like  having  to  communicate.  But  com¬ 
munication  is  hugely  important  to  all  man¬ 
agers,  he  says. 

CIOs  should  know  that  a  good  memo 
really  is  built  around  the  answers  to  five 
questions: 

1.  WHO’S  THE  READER? 

The  answer  to  this  question  helps  the  CIO 
frame  the  memo.  Nontechnical  readers  may 
need  a  terminology  key.  A  mixed  group  of 
readers,  or  a  distribution  list  that  includes 
people  unfamiliar  with  a  project,  might  dic¬ 
tate  adding  a  background  section. 


. . . 


To:  Joe  Boss 

From:  Mary  Tech  Exec 

Subject:  Notebooks 


BEFORE 


The  Quick  E-Mail 


Fast  but  unfocused  notes 
fail  to  persuade 


Joe... 


The  mobile  sales  force  needs  new  notebook  PCs.  The  best  bet  would 
be  a  new  Dell,  probably  the  Inspiron  line,  most  specifically  the  700m. 
This  line  weighs  in  at  4.1  pounds,  with  a  12.1"  Wide  Screen  monitor,  is 
1.5"  thin,  has  Integrated  Intel  ProWireless  or  Optional  Dell  Internal 
Wireless  Solution.  With  various  selections,  we  can  have  up  to  the 
Intel  Pentium  M  Processor  755  (2.0GHz,  2MB  Cache,  400MHz  FSB) 
with  Intel  Centrino  Mobile  Technology.  The  street  price  is  roughly 
$1,600;  of  course  our  IT  specialists  can  do  much  better. 

Let  me  know  your  decision.  We're  all  ready! 


2 .  WHAT  DO  I  WANT 
READERS  TO  RECALL? 

“Most  people  don’t  take  the  time  to  really 
understand  what  their  key  message  is.  They 
just  sit  and  write.  I  ask  them,  ‘What  is  the 
one  key  piece  of  information  you  want  your 
reader  to  remember?’  and  most  of  them  say 
‘I  don’t  know,”’  says  Sheryl  Lindsell-Roberts, 
a  communications  consultant  who  is  the 
author  of  Strategic  Business  Letters  and  E-mail. 
CIOs  must  know  what  their  point  is  and 
write  to  support  that. 

3.  WHAT  FORMAT 
SHOULD  I  USE? 

E-mail  has  replaced  paper  for  most  kinds  of 
written  communication,  and  that’s  especially 
true  in  the  IT  world.  But  CIOs  should  remem¬ 
ber  that  people  often  print  important  e-mails. 
An  e-mailed  memo  should  be  easily  readable 
when  printed  out,  with  short  paragraphs  and 
even  margins.  Alternately,  CIOs  can  give  a 


86 


OCTOBER  15,  2005  |  www.cio.com 


AFTER: 


The  Structured 
Memo 

Issues  summarized,  chal¬ 
lenges  overcome,  a  solution 
presented. ..equals  a  formula 
for  success 


To:  Joe  Boss 
From:  Mary  Tech  Exec 

Purpose  of  This  Memo 

To  review  how  new  notebook  PCs  will  hoi 

improve  customer  regions  and  the  CoZT™  *"  ^  '<*  °f  -ies  and 

^tehChallengef0r  Corporate  Growth 

With  our  corporate  manrt^w  ■ 

P"- 

The  Financial  Drain  of  Our  r  goa,s’ 

^e25peop,em,hel^:Z,ehb00kS 

A  Cost-Effective  Solution  e  0  he  customer  meeting. 

the  specs  and  strong  cTpTb^Ty  for  sT  'eader  3t  3  reas°nable  price  Not 

7 — 

Screen.  ,  ,  P  nds'  T5  inches  thin 
screen,  a  large  12.1  inches 

Processor:  fast  Inte^Penhum  m  p"  PnmarV  battery  (32WHr) 

Recommendation  ss  with  volume  discount 

1  stror,g|y  recommend  that  we  make  thk 


SOURCE.  Eric  Brown.  Communication 


Associates 


particularly  important  memo  more  oomph 
by  sending  it  on  paper.  “People  are  so  bom¬ 
barded  with  e-mail  that  paper  can  really 
make  an  impact,”  says  Lindsell-Roberts. 

4.  CAN  I  SAY  IT  MORE 
SIMPLY? 

Most  memos  shouldn’t  go  much  past  half  a 
page,  and  certainly  not  more  than  three, 
except  on  rare  occasions.  CIOs  have  to 
watch  out  for  the  technologist’s  tendency 
to  explain  things.  “CIOs  often  write  too 
much,  they  overdo  things,  they’re  too  help¬ 
ful,”  says  Deborah  Dumaine,  author  of 
Write  to  the  Top  and  president  of  Better 
Communications  Business  Writing  Work¬ 
shops.  Best  to  keep  things  to  the  point  and 
avoid  jargon,  which  only  confuses  people 
not  in  IT.  And  remember  that  it’s  OK  to 
use  one-sentence  paragraphs;  that’s  a  good 
way  of  emphasizing  the  main  point. 

5.  HOW  DOES  THIS 

SOUND? 

Ask  someone  else  to  read  your  memo 
before  you  send  it  out.  It  can  be  your  assis¬ 
tant,  a  management  peer  or  one  of  the  com¬ 
pany’s  professional  communicators  in 
marketing  or  public  relations.  Len  Rand, 
who  spent  22  years  in  management  posi¬ 
tions  at  companies  such  as  Intel  and 
Intergraph  before  becoming  one  of  the 
managing  directors  of  Granite  Ventures, 
says  he  learned  early  on  to  have  a  corpo¬ 
rate  communications  specialist  look  at 
many  of  his  memos.  He  happened  to  ask 
a  PR  woman  on  his  staff  to  look  over  a 
memo  he’d  been  struggling  with.  ‘“She 
came  back  with  something  that  was 
much  better.  And  I  said,  Why  should  I  be 
proud?  I  have  people  on  staff  who  are  acces¬ 
sible  to  me  who  are  professionals  at  writing 
or  at  expressing  something  for  HR.  Why 


Be  a  Better  Communicator 


Glean  other  career-advancing  tips— on  working 
with  the  board,  facial  expressions  and  golf  eti¬ 
quette-in  the  ADVANCED  COMMUNICATIONS 
series.  Find  it  at  www.cio.com/specialreports. 

cio.com 


shouldn’t  I  use  that  to  my  advantage?” 

It  may  take  some  time  to  make  these  five 
questions  part  of  your  memo-writing  style. 
De Vault  remembers  the  struggle  he  faced  in 
changing  his  technique,  although  he  was 
young  and  eager  to  do  so.  Even  Staliek, 
DeVault’s  boss,  who  started  out  as  a  jour¬ 
nalist  and  has  always  made  good  writing  a 
part  of  his  management  style,  fesses  up:  “I 
have  written  bad  memos.” 


But  mastery  of  memo  writing  is  some¬ 
thing  any  CIO  can  and  should  do.  With  a  lit¬ 
tle  practice,  your  memo  writing  will  improve 
to  the  point  where  you’ll  find  others  respond¬ 
ing  the  way  you  want  them  to.  HH 


Send  feedback  on  this  article  to  ietters@cio.com. 
Michael  Fitzgerald  ( michael@mffitzgeratd.com )  is  a 
freelance  writer  based  outside  Boston. 


www.cio.com  |  OCTOBER  15,  2005 


87 


ESSENTIAL 


FROM  INCEPTION  TO  IMPLEMENTATION-I.T.  THAT  MATTERS 


Edited  by  Christopher  Lindquist 

clindquist@cio.com 


CIOs  need  to 
examine  options 
for  authenticating 
users— or  risk 
their  companies 
becoming  the  latest 
data  theft  headline 


New  Locks,  New  Keys 

BY  GALEN  GRUMAN 

SECURITY  |  No  doubt  all  the  breaches  of  customer  data  this  year  have  forced  you  to 
defend  your  security  strategy.  And  no  doubt  you’re  being  pushed  to  improve  security  with¬ 
out  increasing  costs  or  scaring  away  users  in  the  process.  You  might  be  hoping  the  pressure 
will  subside  as  the  breaches  become  distant  memories,  but  both  the  federal  and  state  gov¬ 
ernments  aren’t  likely  to  give  you  that  break. 

CIOs  at  retailers  must  analyze  the  current  security  measures  they  take  for  data  in  three 
areas:  in  transit  online,  at  the  point  of  sale  and  where  it  is  stored.  The  analysis  of  each  area 
should  determine  how  data  is  secured,  accessed  and  utilized,  and  what  the  risk  is  at  each  step, 
says  John  Pironti,  principal  security  consultant  at  Unisys.  At  the  same  time,  CIOs  of  finan¬ 
cial  services  companies  must  work  around  the  fear  that  outwardly  visible— and  constrain¬ 
ing— security  measures  could  send  customers  fleeing  into  the  arms  of  a  competitor. 


When  They’re  Buying,  Who’s  Watching? 

Of  the  three  security  areas,  the  point  of  sale  is  perhaps  the  least  risky.  While  it’s  possible  for 
properly  equipped  crooks  to  compromise  computerized  point-of-sale  systems,  it’s  simply  eas¬ 
ier  for  the  bad  guys  to  buy  or  steal  information  on  the  Internet  than  to  physically  invade  a 


88 


OCTOBER  15,  2005 


www.cio.com 


ILLUSTRATION  BY  JUSTINE  BECKETT 


“With  Citrix,  we  quickly  deployed 
secure  access  to  critical  systems 
and  saved  millions  of  dollars  in 
application  re-engineering  costs. 
Now  I  can  focus  on  growing 
the  business.” 

Bruce  J.  Goodman 

Senior  Vice  President  and 

Chief  Service  and  Information  Officer 

Humana  Inc. 

•  Citrix  gives  Humana  employees  and  business 
partners  easy,  secure  access  to  more  than  100 
business-critical  information  systems.  As  a  result,  Humana 
is  saving  millions  in  re-engineering  costs  and  reinvesting  in 
growing  its  business.  Because  Citrix  virtualizes  applications, 
no  information  leaves  the  data  center,  so  Humana  is  able 
to  rigorously  control  the  security  of  patient  information 
and  records,  meet  stringent  government  regulations,  and 
protect  consumer  privacy.  For  Humana,  this  is  how  Citrix 
delivers  the  best  access  experience.  More  than  160,000 
customers  and  98%  of  the  Fortune  500  have  turned  to 
Citrix  to  get  access.  To  learn  how  the  Citrix  access  platform 
can  deliver  the  best  access  experience  for  your  business, 
call  888-820-7918  or  visit  www.citrix.com. 

CiTRIX 

Best  Access  Experience.  Anytime.  Anywhere. 


©2005  Citrix  Systems,  Inc.  All  rights  reserved.  Citrix  is  a  registered  trademark  of  Citrix  Systems,  inc.  r  the  U.S. 
and  other  countries.  Al  other  trademarks  and  regstered  trademarks  are  the  property  of  ther  respectrre  ewers. 


essential  technology 


POS  location  or  to  shadow  customers  to  get 
their  credit  card  number,  PINs  or  other 
data,  says  Matt  Curtin,  founder  of  the  secu¬ 
rity  consultancy  Interhack. 

The  popularity  of  credit  cards  has  also 
made  it  hard  to  justify  any  significant  form 
of  authentication  at  the  point  of  sale.  Credit 
card  companies  have  long  limited  con¬ 
sumers’  liability  to  $50,  relying  on  fees  paid 
by  merchants  to  cover  the  cost  of  fraud, 
which  is  involved  in  about  1  percent  of  all 
transactions,  says  Avivah  Litan,  vice  pres¬ 
ident  and  research  director  for  payments 
and  fraud  at  Gartner.  And  credit  card  com¬ 
panies  depend  on  sophisticated  fraud- 
detection  systems  that  can  reveal  patterns 
of  fraudulent  use  after  very  few  transac¬ 
tions,  limiting  the  losses. 


Some  retailers  would  love  to  drop  credit 
cards,  because  of  their  high  fees.  That’s 
why  Piggly  Wiggly  Carolina,  a  South  Car¬ 
olina-based  grocery  chain,  has  debuted  a 
payment  system  from  Pay  By  Touch  in 
which  customers  use  a  finger  scan  and  an  ID 
number  to  establish  their  identity  at  a  sales 
terminal.  No  credit  card  information  is 
needed  at  the  sales  terminal,  because  the  user 
identity  is  matched  at  a  service  provider— 
Pay  By  Touch— and  the  charge  is  then 
deducted  from  a  linked  bank  account,  says 
Piggly  Wiggly  VP  of  Information  Services 
Rich  Farrell. 

The  use  of  a  second  authentication  factor 
(the  PIN)  also  helps  secure  the  new  Blink  card, 
a  wireless  card  from  Chase  Card  Services  that 
uses  radio  frequency  to  transmit  cardholder 
information  to  a  sales  terminal.  The  technol¬ 
ogy  limits  the  card’s  wireless  range  to  just  two 
inches,  so  thieves  can’t  use  portable  readers  to 
snatch  account  numbers  over  the  air,  says 
Tom  O’Donnell,  a  senior  VP  at  Chase. 


The  Vulnerable  Database 

Gartner’s  Litan  expects  thieves  to  increas¬ 
ingly  target  the  systems  that  store  customer 
data  as  more  and  more  financial  and  retail 
systems  are  linked  together.  Standalone 
host  systems  (often  aging  mainframes) 
weren’t  originally  built  to  defend  such  net¬ 
worked  connections,  so  “more  and  more 
companies  are  centralizing  security  again,” 
returning  to  the  single  security  architecture 
approach  that  worked  well  for  mainframe 
systems,  says  Jeffrey  Margolies,  lead  for 
Accenture’s  security  services  and  identity 
management  practice. 

CIOs  should  consider  these  two  basic 
approaches  to  secure  stored  data,  Pironti 
advises:  Encrypt  data  that  is  not  being  used; 
and  better  manage  access  so  a  rogue  insider 


doesn’t  have  the  privileges  necessary  to  steal 
data.  Most  CIOs  also  need  to  acquire  a  thor¬ 
ough  understanding  of  the  flow  of  customer 
data  and  its  potential  weak  spots,  such  as 
the  use  of  unencrypted  backup  tapes, 
Pironti  says,  rather  than  rely  on  technolog¬ 
ical  fixes.  “In  the  short  run  there’s  a  higher 
expense  to  process  thinking,  but  in  the  long 
run  it’s  cheaper,”  he  says. 

On  the  Web,  No  One  Knows 
You’re  a  Crook 

Analysts  warn  that  electronic  data  theft  is 
growing  fast,  even  as  other  types  of  data 
theft  stay  level  or  decline.  A  Gartner  survey, 
for  example,  shows  phishing  attacks  grew 
28  percent  in  2005.  In  addition,  increasing 
numbers  of  online  thefts  and  hacking 
attempts  are  being  perpetrated  on  behalf  of 
organized  crime,  which  has  started  hiring 
hackers,  says  Litan. 

To  combat  phishing  attacks,  bank  regu- 


The  Biggest 
Fraud  of  All 

And  it  can  be  fixed  easily 

The  largest  percentage  of  fraud  involves 
thieves  using  stolen  consumer  information 
to  open  up  new  accounts,  says  Unisys  secu¬ 
rity  consultant  John  Pironti.  A  fraudulent 
account  can  go  undetected  for  months, 
because  the  consumer  never  sees  any  bills, 
and  the  financial  provider  and  retailers 
have  no  previous  history  with  the  account 
that  would  make  it  possible  for  them  to 
detect  unusual  patterns.  Often  the  fraud  is 
detected  only  when  the  consumer  whose 
information  has  been  stolen  undergoes  a 
credit  check,  such  as  when  he's  buying  a 
home  or  applying  for  refinancing. 

Repairing  the  damage  from  identity  theft 
can  take  hundreds  of  hours  (330  on  average, 
according  to  a  2004  study  by  the  Identity 
Theft  Resource  Center),  but  because  the 
number  of  victims  of  this  kind  of  identity 
theft  is  still  small,  there's  been  little  incen¬ 
tive  for  data  brokers  to  take  stronger  preven¬ 
tive  measures.  Also,  because  it's  very  hard 
to  prove  where  the  stolen  information  came 
from,  data  brokers  and  processors  can 
safely  dodge  liability  for  the  damage,  says 
Matt  Curtin,  founder  of  the  security  consul¬ 
tancy  Interhack. 

But  a  straightforward  and  relatively 
inexpensive  technology  could  address  this 
problem:  notification.  If  a  customer  has  an 
e-mail  account  or  a  telephone,  it  should  be  a 
simple  matter  to  send  a  real-time  alert  to  a 
cell  phone  number  or  e-mail  address  when 
a  new  account  is  opened,  says  Jeff  Schmidt. 
CEO  at  security  consultancy  Authis.  Credit 
bureaus  already  alert  consumers  when 
someone  opens  a  new  account  in  their 
name— but  only  if  the  consumer  previously 
had  his  identity  stolen  and  requested  such 
notifications  to  prevent  further  activity 
without  express  permission.  Requiring  this 
notification  for  every  new  account  could 
considerably  eliminate  identity  theft. 

-G.G. 


The  concept  of  a  national  ID  card  has 
long  faced  strong  opposition.  Efforts  to 
standardize  state  ID  cards  may  achieve 
the  same  result,  but  more  palatably. 


90 


OCTOBER  15,  2005  |  www.cio.com 


THE  ONLY  WAY  TO  DO  BUSINESS 
OUT  OF  THE  OFFICE  IS  WITH 
MULTIPLE  MOBILE  DEVICES. 


GET  YOUR  FREE  COPY  OF  “MOBILE  WORKFORCE  FOR  DUMMIES”  AT  AVAYA.COM/DUMMIES 


AVAYA  IP  TELEPHONY  GIVES  YOU 
SINGLE-DEVICE  MOBILITY,  LIKE 

HONE. 


AVAyA 

COMMUNICATIONS 
AT  THE  HEART  OF  BUSINESS 


©2005  Avaya  Inc.  All  Rights  Reserved.  Avaya  and  the  Avaya  Logo  are  registered  trademarks  of  Avaya  Inc.,  and  may  be  registered  in  certain  jurisdictions.  All  other  trademarks  are  the  property  of  their  respecti 


essential  technology 


lator  Federal  Deposit  Insurance  Corp.  plans 
to  issue  guidelines  for  online  banking  this 
fall  that  require  authentication  beyond  user 
IDs  and  passwords.  The  agency  isn’t  dictat¬ 
ing  what  technologies  companies  must  use, 
giving  the  financial  and  retail  industries  a 
chance  to  develop  their  own  standards  and 
technologies. 

Two-factor  authentication’s  success  in  the 
physical  world  has  made  it  the  choice  of  tech¬ 
nology  to  protect  online  transactions  as  well. 
“It  minimizes  the  theft  of  identity  online,” 
notes  former  national  security  adviser 
Richard  Clarke,  now  chairman  of  security 
consultancy  Good  Harbor  Consulting. 


thing  else.  Such  systems  can  also  be  vulner¬ 
able  to  “man  in  the  middle”  attacks,  where 
communication  between  the  customer  and 
the  company  is  intercepted,  Clarke  notes. 

That’s  why  some  companies  are  trying 
token-based  methods,  such  as  scratch  cards, 
where  customers  scratch  off  a  protective  cov¬ 
ering  on  a  card  to  reveal  a  one-time  access 
code.  In  the  United  States,  E-Trade  Financial 
is  implementing  the  high-tech  version  of  this 
approach  using  RSA  Security’s  lipstick-sized 
SecurlD  device,  which  produces  new,  one¬ 
time  codes  every  60  seconds  and  displays 
them  on  a  small  LCD  screen.  Users  enter  the 
code  showing  on  the  screen  when  logging 


Analysts  warn  that  electronic  data  theft 
is  growing  fast,  even  as  other  types  of 
data  theft  stay  level  or  decline. 


Several  companies  are  experimenting  with 
two-factor  authentication  approaches.  For 
example,  Bank  of  America  is  deploying  a  sys¬ 
tem  from  PassMark  Security  that  requires 
the  user  to  answer  a  personal  question  from 
a  rotating  set  and  to  choose  from  a  collection 
of  pictures  supplied  by  the  bank,  with  only 
one  picture  matching  the  “validator”  picture 
the  customer  selected  when  opening  the 
account.  And  online  bank  ING  Direct  rotates 
personal  questions  to  provide  a  second  chal¬ 
lenge  when  the  user  logs  in.  Some  banks  and 
online  retailers  are  using  technology  from 
such  companies  as  Actimize,  Corillian,  Cyota 
and  The  41st  Parameter  that  creates  a  profile 
of  user  access,  noting  the  IP  addresses  from 
which  users  log  in,  the  time  zone  and  so  forth. 
If  a  thief  logs  in  from  Argentina  posing  as  a 
customer  from  Delaware,  the  profile  won’t 
match  and  the  bank  can  issue  an  additional 
challenge  question  to  verify  the  identity.  (That 
extra  step  allows  access  by  legitimate  users 
who  are  traveling.) 

Still,  any  data— even  biometric  informa¬ 
tion  such  as  fingerprints— that’s  stored  as 
an  authentication  mechanism  is  vulnerable: 
If  a  thief  breaks  into  a  bank’s  systems,  he 
gets  the  validating  data  along  with  every¬ 


into  their  investment  accounts.  If  the  device 
is  stolen,  a  phone  call  from  the  customer  flags 
it  as  invalid,  so  a  thief  could  not  use  it.  And 
even  if  the  consumer’s  computer  has  been 
hacked  and  a  keylogger  installed  to  steal 
passwords,  the  code’s  ever-changing  nature 
means  a  thief  would  still  be  stymied,  says 
Joshua  S.  Levine,  E-Trade’s  chief  technology 
and  operations  officer. 

But  token-based  authentication  makes 
many  companies  nervous,  analysts  say, 
because  of  the  implementation  and  support 
costs.  They  also  say  that  consumers  won’t  tol¬ 
erate  having  more  than  a  very  few  such 
devices.  Alternatives  do  exist,  of  course. 
Canadian  cash-card  provider  SolidPay,  for 
instance,  uses  cell  phones  for  two-factor 
authentication.  It  has  deployed  Sti'ikeForce 
Technologies’  software,  which  calls  cus¬ 
tomers’  cell  phones  and  prompts  them  to 
enter  their  PIN  on  the  phone’s  keypad  when 


Keep  Up  Online 


Technology  Editor  Christopher  Lindquist 
scours  the  best  of  what’s  on  the  Web  when  it 
comes  to  emerging  technology.  Read  his  blog, 

TECH  LINKLETTER,  at  www.cio.com 

cio.com 


In  2003, 

5.7  million 
credit  card 
numbers  were 
stolen  and 
used  to 
purchase  an 
average  of 
$800  worth  of 
merchandise, 
totaling 

$4.5B 

in  losses  for 
credit  card 
companies. 

SOURCE:  Gartner 


they  try  to,  for  example,  transfer  money  to 
their  cards.  And  to  combat  device  prolifera¬ 
tion,  RSA  plans  to  launch  a  form  of  federation 
service  this  fall  that  would  let  consumers  use 
the  same  SecurlD  authenticator  device  for 
accounts  at  multiple  companies. 

Some  analysts  believe  such  systems 
are  inevitable.  The  federal  government’s 
requirement  that  passport  holders,  trans¬ 
portation  workers  and  government  employ¬ 
ees  all  use  smart  card  IDs  will  create  a 
critical  mass  of  adoption  for  a  standard 
token,  says  Good  Harbor’s  Clarke.  He  ulti¬ 
mately  envisions  ID  cards  that  everyone 
carries,  just  as  most  now  carry  a  driver’s 
license  and  a  credit  or  debit  card.  (The  con¬ 
cept  of  a  national  ID  card  has  long  faced 
strong  opposition,  although  efforts  to  stan- 


92 


OCTOBER  15,  2005  |  www.cio.com 


HOW  CAN  WE  MAKE  SURE  INNOVATION 
DOESN’T  HAPPEN  ONLY  IN  R&D? 


HOW  DO  WE  CREATE  NEW  VALUE  WITHOUT 
CREATING  COMPLICATIONS? 


HOW  COULD  WE  TURN  VOLATILITY  INTO 
AN  ASSET? 


With  over  70,000  business  experts  worldwide,  IBM  has  the  answers.  Our  deep  expertise 
in  On  Demand  Business  covers  17  industries,  in  areas  ranging  from  HR  to  finance,  and  can 
help  identify,  create  and  deliver  lasting  business  value.  We’ve  already  helped  Volkswagen 

and  Virgin  Entertainment  become  more  agile,  more  innovative  and  more  profitable.  What  • 

could  we  do  for  you?  Learn  more  at  ibm.com/innovation 

IBM.  the  IBM  logo  and  On  Demand  Business  are  registered  trademarks  Or  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  Other  company,  product  artcf 
names  may  be  trademarks  or  service  marks  of  others.  ©2005  IBM  Corporation.  All  rights  reserved.  •  /  -  i  'S. 


essential  technology 


dardize  state  ID  cards  may  achieve  the  same 
result,  but  more  palatably.) 

The  Slow  Road  to  Security 

Wary  of  the  cost  of  token-based  authentica¬ 
tion  and  of  annoying  customers  with  extra 
steps  such  as  answering  validation  ques¬ 
tions,  financial  providers  are  implementing 
fraud-detection  systems  similar  to  what 
credit  card  companies  have  long  used,  Litan 
says.  For  online  access,  most  are  focusing  on 
methods  that  don’t  require  user  action  (for 
example,  checking  a  user’s  current  location 
against  his  profile  of  usual  access  locations). 

A  second  low-impact  approach— this  one 
designed  to  limit  the  damage  caused  by 
phishing  attacks— is  the  use  of  server-side 
certificates  to  verify  that  users  have  in  fact 
reached  the  bank  or  retailer  they  intended  to 
contact,  suggests  David  Meunier,  CSO  of 
CUNA  Mutual  Group,  which  provides  pro¬ 
cessing  services  to  credit  unions.  This 
approach  means  that  the  browsers  should 
have  SSL  and  Validation  turned  on,  enabling 
the  browser  to  display  the  certification 
results,  so  users  will  know  if  they  have 
arrived  at  their  intended  site  and  not  a  sin¬ 
ister  look-alike.  (Students  at  Stanford  Uni¬ 
versity  recently  released  such  software  for 
the  Mozilla  Firefox  browser.)  Meunier 
acknowledges,  however,  that  this  technol¬ 
ogy  would  not  stop  phishing  via  e-mail 
(which  has  no  similar  widespread  certificate 
standard  in  place  as  of  yet). 

Another  browser-security  option  accord¬ 
ing  to  Chris  Novak,  senior  security  consult¬ 
ant  at  Cybertrust,  is  a  browser  plug-in  that 
detects  password  or  account  entry  fields  and 
scrambles  them  with  a  key  known  to  both 
the  browser  and  the  legitimate  server.  Con¬ 
sidering  the  small  number  of  browser  types 
in  wide  use,  it  should  be  straightforward  to 
distribute  such  a  plug-in  if  the  financial 
industry  agreed  on  a  standard  for  it,  he  says. 

Given  the  fractured  nature  of  the  finan¬ 
cial  services  and  retail  industries,  analysts 
agree  that  it’s  likely  that  improved  security 
for  customer  data  will  come  from  efforts 
that  combine  numerous  techniques  such  as 
those  mentioned  above.  While  government 
regulation  could  push  reluctant  companies 


The  Dawn  of  General- 
Purpose  Grid? 

UTILITY  COMPUTING  |  All  those  computers,  sitting  on  desks  throughout  your  office, 
most  of  the  time  doing— nothing.  Grid  computing  proponents  have  long  promised  to  tap  those 
machines,  providing  a  new  and  low-cost  source  of  processing  power.  But  thus  far,  the  applica¬ 
tions  for  grid  have  mostly  benefited  scientists,  derivatives  analysts  and  people  trying  to  extract 
alien  messages  from  galactic  background  noise. 

Now  one  of  grid's  biggest  boosters  is  hoping  to  change  the  situation,  creating  a  truly  general- 
purpose  grid  by  turning  networks  of  computers  into  a  single  virtual  machine.  (For  more  on  virtual¬ 
ization,  see  “The  Virtues  of  Virtualization,”  Sept.  15.) 
Platform  Computing’s  Enterprise  Grid  Orchestrator 
(EGO)  purports  to  offer  a  standardized  way  of  consoli¬ 
dating,  managing  and  sharing  computing  resources 
spread  throughout  a  grid,  one  that  will  put  those 
resources  to  use  for  Web  services,  service-oriented 
architectures,  and— through  partnerships— general 
applications. 

It's  nothing  we  haven’t  heard  before,  of  course, 
but  Platform  has  some  deals  already  on  the  books 
that  make  this  look  somewhat  promising.  Cognos, 
for  instance,  this  past  summer  demonstrated  its 
Cognos  ReportNet  business  reporting  software 
running  on  EGO.  Platform  has  also  partnered  with 
VMWare  to  create  the  Platform  VM  Orchestrator, 
software  that  will  allow  corporations  to  pool  IT 
resources  (CPUs,  storage  and  memory)  and  auto¬ 
matically  carve  out  environments  for  running  appli¬ 
cations  on  virtual  machines,  in  much  the  same  way 
as  VMWare  currently  lets  customers  divide  single 
computers  into  virtual  partitions,  each  with  its  own 
operating  system  and  resources. 

The  benefit  of  such  a  system  is  that  it  would 
allow  applications  to  run  unmodified  on  VMWare 
virtual  environments  that  could  scale  up  or  down  quickly  depending  on  requirements  and 
available  resources.  Getting  a  sudden  surge  in  usage  on  the  business  intelligence  application? 
Suck  a  few  more  idle  desktop  PCs  into  the  pool  and  put  them  to  work  doing  something  besides 
warming  a  desk. 

The  EGO  development  kit  is  available  now.  Platform  VM  Orchestrator  is  due  this  fall. 

-Christopher  Lindquist 


Thus  far,  the 
applications 
for  grid  have 
mostly  benefited 
scientists, 
derivatives 
analysts  and 
seopletiying 
:o  extract  alien 
messages 
from  galactic 
background 
noise. 


to  implement  more-intrusive  technologies 
such  as  two-factor  authentication  for  at  least 
some  online  transactions,  public  pressure  is 
the  more  likely  way  slow-moving  compa¬ 
nies  will  be  spurred  on,  especially  if  con¬ 


sumers  view  security  as  an  asset  rather 
than  as  a  barrier  to  commerce.  HE] 


Galen  Gruman  is  a  freelance  writer  in  San  Francisco. 
Hecan  be  reached  at ggruman@zangogroup.com. 


94 


OCTOBER  15,  2005  |  www.cio.com 


HOW  DO  WE  MANAGE  SUPPLY, 
DEMAND  AND  CHAOS? 


HOW  CAN  INFRASTRUCTURE  UNCOVER 
HIDDEN  OPPORTUNITIES? 

HOW  CAN  I.T.  HELP  TURN  STRATEGIC 
FANTASY  INTO  MARKETPLACE  REALITY? 


IBM  BUSINESS  CONSULTING 

Find  the  answers  with  an  altogether  different  kind  of  business  thinking.  IBM  combines  world- 
class  innovation  with  unique  strategic  thinking  to  identify,  create  and  deliver  lasting  business 
value.  We  consider  IT  possibilities  from  the  outset,  so  a  brilliant  strategy  is  also  executed 
brilliantly.  Learn  more  about  what  makes  IBM  different,  and  how  we’ve  already  helped  Procter 
&  Gamble  and  the  NFL  tightly  align  IT  with  business  strategy.  Visit  ibm.com/innovation 


IBM,  the  IBM  logo  and  On  Demand  Business  are  registered  trademarks  or  trademarks  ot  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  Other 
names  may  be  trademarks  or  service  marks  of  others.  ©2005  IBM  Corporation.  All  rights  reserved. 


FROM  THE  PUBLISHER 


Tax  Madness 

Congress  should  close  the  tax  loopholes  in  job 
creation  legislation 


In  fall  2004  Congress  passed  the  American  Jobs  Cre¬ 
ation  Act.  Its  intent  was  to  give  U.S.-based  multinational 
corporations  a  onetime  tax  break  to  allow  them  some 
spending  money  to  create  American  jobs. 

On  paper,  the  tax  break  seems  reasonable.  U.S.-based 
multinational  companies  must  pay  taxes  on  their  earn¬ 
ings  in  the  foreign  countries  where  they  have  subsidiaries. 
Before  the  2004  job-creation  legislation,  those  earnings— 
called  “repatriated  income”— were  then  also  subject  to  tax¬ 
ation  at  a  rate  of  35  percent  when  they  showed  up  on  the 
balance  sheets  at  the  home  office— if  they  ever  showed  up.  U.S.  companies  often  simply 
parked  profit  abroad  to  dodge  the  35  percent  tax  bracket  back  at  home. 

The  break  legislated  by  the  act  lowered  the  U.S.  tax  on  multinationals’  repatriated 
income  from  35  percent  to  5.25  percent.  The  intent  was  this:  The  onetime  lower  rate  would 
encourage  them  to  move  foreign  profits  to  the  home  balance  sheet.  They  would  then  ear¬ 
mark  the  resulting  windfall  to  educate  and  train  workers  for  jobs  here  in  America. 

But  because  of  loopholes  permitted  by  the  U.S.  Department  of  the  Treasury,  the  com¬ 
panies  have  a  great  deal  of  leeway  in  how  they  spend  those  repatriated  profits. 

And  job  creation  ain’t  job  one! 

In  fact,  six  of  the  10  companies  repatriating  the  largest  sums  of  money  are  firing  U.S. 
workers.  Others  are  building  acquisition  war  chests.  At  least  one  company  is  using  the 
money  to  pay  down  the  debt  on  a  past  acquisition— one  that  laid  off  tens  of  thousands. 

Moreover,  repatriated  income  is  cutting  into  company  profits.  Why?  Because  even  at 
5.25  percent,  a  company  taking  a  $14  billion  repatriated  income  hit  still  must  pay  $735  mil¬ 
lion  in  taxes.  But,  who  cares?  The  $13.4  billion  revenue  hit  was  sure  worth  it. 

Bottom  line:  At  a  time  when  American  businesses  and  American  tech  workers  need  all 
the  help  they  can  get  to  remain  competitive  in  a  global  economy,  corporate  CEOs  have 
once  again  shown  their  true  colors.  And  those  are  all  about  profits  at  their  workers’  expense. 

Congress  should  demand  that  all  $520  billion  of  the  windfalls  be  returned  to  the  Trea¬ 
sury  department.  Or  at  the  very  least,  Congress  should  create  a  worker  training  program 
with  the  money  that  is  supposed  to  be  100  percent  dedicated  to  helping  our  workers. 

If  not,  shame  on  Congress. 


THE  RESOURCE  FOR  INFORMATION  EXECUTIVES 

president  and  ceo  Michael  Friedenberg 
publisher  Gary  J.  Beach 

CXO  MEDIA 

CIRCULATION 

svp.  circulation  Carol  A.  Spach 
circ.  dir.  Faith  Marcello 

subscription  svcs.  supervisor  Tina  Pescaro 

CIO  EXECUTIVE  COUNCIL 

GENERAL  MANAGER  Mark  Hall 

managing  dir.,  content  development  Richard  Pastore 
program  director  Shaw  Lively 
dir.,  external  relations  Karen  Fogerty 
dir.,  program  development  David  Lien 
director  of  research  Michael  Swenson 
marketing  communications  manager  Jennifer  Baker 
mgr.  of  operations  and  project  mgmt.  Jean  Costello 
dir.,  event  strategy  and  planning  Thomas  Bliss 
member  services  managers  Michael  Fahlsing. 

Bill  Golden.  Carrie  Mathews.  Bill  Roche 
senior  program  managers  Stephen  Buckler. 
Ross  Chapin.  Patrick  Clarke.  Robert  Graham, 
Andy  Kerr.  Amanda  Neal,  Steve  Rovniak 
operations  coordinator  Darcy  Chamberlain 

EXECUTIVE  PROGRAMS 

vp,  executive  programs  Ellen  Daly 
vp,  conference  mgmt.  Cynthia  Mollus 
director  of  marketing  Mary  Cardwell 

DIRS.,  BUSINESS  DEVELOPMENT 

Chris  Mattoon,  John  Vulopas 

dir.,  event  planning  Amy  Turell 
conference  manager  Judith  Kittredge 
event  planner  Sarah  Yee 
designer  Andrea  Slobogan 
client  relations  associate  Lisa  Byron 
client  services  specialist  Cress  O'Brien 

ONLINE 

general  manager  David  Churbuck 
online  producers  Todd  Borglund.  Bill  Hall. 
Jennifer  McCarthy,  Joe  Nguyen 

INFORMATION  SYSTEMS 
idg  dir.  of  information  services  Nancy  Newkirk 
infrastructure  manager  James  C.  Burgoyne 
sr.  i.t.  specialist  Jonathan  Frappier 
system  administrator  Robert  Reagan 
senior  user  support  specialist  Christopher  A.  Kay 
user  services  specialist  Gloria  Lam 
sr.  web  developers  Sean  McCracken.  Chris  Murray 

PRODUCTION 

vp,  manufacturing  Chris  Cuoco 
production  manager  Heidi  Broadley 
associate  production  manager  Lisa  M.  Stevenson 

MARKETING 

dir.,  marketing  research  Bridget  Cammarata 
marketing  research  manager  Carolyn  Johnson 
sr.  director,  marketing  comm.  Sue  Yanovitch 
sr.  marketing  comm,  specialist  Susan  Maloney 
marketing  comm,  coordinator  Lynn  Holmlund 

ADMINISTRATION 

coo  Matt  Smith 

dir.,  finance  Margarita  Chiango 

finance  &  operations  analyst  Chris  Bernardi 
executive  assistant  to  the  president  Diane  Martin 
billing  specialist  Joyce  Gillis 
facilities  specialist  John  Kelley 
office  services  coordinator  Mary  E.  Wooldridge 

HUMAN  RESOURCES 

vp,  human  resources  Patricia  Chisholm 

human  resources  director  Tanya  Bureau 
sr.  hr  representative  Beth  S.  Ramistella 


Gary  J.  Beach,  Publisher 

gbeach(5)cio.com 


< 

X 

o 

CD 

m 


CD 

o 

t— 

o 

X 


CXOXMEDIA  INC 


INTERNATIONAL  DATA  GROUP 

board  chairman  Patrick  J.  McGovern 
ceo  Pat  Kenealy 

president,  idg  communications  Bob  Carrigan 


96 


OCTOBER  15,  2005  |  www.cio.com 


Location,  Location,  Location... 


It's  fundamental  to  your  business.  Are  you  leveraging  your  location  data? 

Customer  addresses,  time  zones,  office  facilities,  service  areas,  political  boundaries,  critical  shipments, 
utility  networks,  field-workers,  real  estate,  mobile  assets,  and  warehouses — location  is  mission  critical 
in  every  organization. 

By  leveraging  the  location  information  that  is  inherent  in  your  information  systems,  you  can  manage 
your  organization  more  efficiently  and  cost-effectively,  helping  you  gain  a  competitive  advantage. 

ESRI  technology  is  a  standards-based,  scalable,  and  interoperable  platform  that  can  exploit  location 
data  in  your  business  processes.  With  ESRI  geographic  information  system  (GIS)  technology,  you  can 
make  location  information  and  analysis  available  to  the  people  in  your  organization — at  all  levels — 
who  need  it  most. 


Request  a  copy  of  the  IDC  white  paper  ESRI:  Extending  GIS  to  Enterprise  Applications 
at  www.esri.com/idc_paper  or  call  1  -888-373-1 1 92. 

You  have  all  the  location  information;  put  it  to  work  for  you. 


Copyright  ©  2005  ESRI  All  rights  reserved.  The  ESRI  globe  logo.  ESRI,  ArcMap,  www.esri  com,  and  Arclnfo  are  trademarks,  registered  trademarks,  or  service  marks  of  ESRI  in  the  United  States,  the  European  Community,  or  certain  other  jurisdictions 


SALES  AND  SERVICES 


CIO  SALES  OFFICES 

President  and  CEO 

Michael  Friedenberg 
508  935-4310 
Publisher 
Gary  J.  Beach 
508  935-4202 

EAST  COAST 

VP  Sales,  East 

Bob  Bragdon 
508  935-4443 
Regional  Sales  Director 
Kathy  Powers 
201634-2331 
Regional  Sales  Manager 
Ellie  Schwab 
201634-2332 
Senior  Sales  Associate 
Rhonda  Goodman 
201 634-2329 
Fax  •  201 634-9513 

NEW  ENGLAND 

Senior  District  Sales  Manager 

Andrew  Haney 
508  935-4586 
Sales  Operations  Manager 

Dawn  Cora 
508  935-4092 
Fax  •  508  879-6063 

NORTH  CENTRAL 

Senior  District  Sales  Manager 

Beth  DeVillez 
847  759-2727 


Advertising  Sales  Associate 

Kim  Giovanni 
847  759-2728 
Fax  •  847  759-2729 

WEST  COAST 

VP  Sales,  West 

Bob  Melk 
415  975-2685 

Senior  Regional  Sales  Manager 

Ai  Collins 
415  975-2686 

Regional  Sales  Manager 

Kevin  Ebmeyer 
415  975-2684 

Account  Executive 

Derek  Jung 
415  975-2683 
Fax  •  415  543-2358 

Senior  Account  Executive 

Sara  Mascall 
415  978-3385 

SOUTHERN  CALIFORNIA 

Regional  Sales  Manager 

Kevin  Ebmeyer 
415  975-2684 

LIST  SERVICES 

List  Services  Director 

Kathryn  A.W,  Marston 
508  935-4072 

List  Services  Account  Executive 

Stephanie  Roy 
508  935-4151 


ONLINE  SERVICES 

Western  Online  Sales  Manager 

Jennell  Hicks 
415  243-8585 

Online  Account  Executive 

Danielle  Tetreault 
508  988-6770 

CUSTOM 

PUBLISHING 

VP  of  Program  Development, 
IDG 

Charles  Lee 

Director 
Mary  Gregory 
508  988-6765 

Director  of  Content 
Development 

Tom  Field 

Assoc.  Director  of  Content 
Development  Anne  Stuart 
Senior  Project  Manager 

Amy  Greenleaf 
Project  Managers 

John  Danielowich,  Jon  Heinrich 

REPRINT  SERVICES 

For  article  reprints  (100  quantity 
or  more),  please  contact  Jesse 
Levy  at  PARS  International  at 
212  221-9595  xl23  or 
via  e-mail  at 
jesse@parsintl.com. 


CIO  IS  PUBLISHED  IN 
THE  U.S.  AS  WELL  AS  IN: 

Australia,  CIO  Australia 
www.idg.com.au 
Canada,  CIO  Canada 
www.lti.on.  ca/cio 
China,  CEO  &  CIO  China 
www. ceocio.com.  cn 
France,  CIO  France 
www.idg.fr/cio 
Germany,  CIO  Germany 
www.cio.de 

India,  CIO  India  91-80-521- 

0309/12 

Japan,  CIO  Japan 

www.idg.co.jp 

The  Netherlands,  CIO 

Netherlands  www.cio.nl 

New  Zealand,  CIO  New  Zealand 

www.idg.co.nz 

Norway,  CIO  Business  Standard 
www.business-standard.no 
Poland,  CXO  Poland 
www.cxo.pl 

Singapore,  CIO  ACEN/Hong- 
Kong  www.idg.com.sg 
South  Korea,  CIO  Korea 
www.cio.seoul.kr 
Sweden,  CIO  Sweden 
www.cio.idg.se 

For  further  sales  information, 
visit 

www2.cio.com/marketing/ 

aboutcio/contacts.cfm. 


INDEX  OF  COMPANIES  AND  ADVERTISERS 

Page  numbers  refer  to  the  first  page  of  the  article(s)  in  which  the  company  has  a  substantial  mention. 

This  index  is  provided  as  a  service  to  readers.  The  publisher  does  not  assume  any  liability  for  errors  or  omissions. 


COMPANY  INDEX 

Accenture  Ltd . 21 

AirTran  Airways  . 58 

American  Express  Co . 66 

American  Greetings  Corp . 58 

Apple  Computer  Inc . 21 

Authis  . 88 

Bain  &  Co.  Inc . 58 

Bank  of  America  Corp . 66 

Better  Communications  Business 

Writing  Workshops  Inc . 85 

Booz  Allen  Hamilton  Inc . 46 

Business  Software  Alliance  ....  46 

Capital  One  . 42 

CardSystems  Inc . 66 

ChoicePoint  Inc . 66 

CitiFinancial . 66 

Citigroup  . 66 

Cognos  Inc . 88 

Commerce  Bancorp  Inc . 66 

Communication  Associates  ....  85 

Cox  Communications  Inc . 21 

CUNA  Mutual  Group  . 88 

Cybertrust  Inc . 88 

eBay  Inc . 66 

E*TRADE  FINANCIAL  Corp.  ...  88 
Flextronics  International  Ltd.  ...  46 

Giant  Eagle  Inc . 58 

Granite  Ventures  LLC . 85 

Hannaford  Bros.  Co . 58 

Hewlett-Packard  Co . 46 

Hilton  Hotels  Corp . 58 

IBM  Corp . 46 


Industrial  and  Commercial  Bank 


of  China  . 21 

ING  DIRECT . 88 

IntelliCare . 21 

Internosis . 85 

Iron  Mountain  Inc . 66 

Kinetics  . 58 

MasterCard  International  Inc.  . .  66 

Maxtor  Corp . 46 

McGraw-Hill  Cos.  Inc.,  The . 21 

MCI  Inc . 66 

Microsoft  Corp . 21 

Morgan  Stanley . 66 

Mozilla  Organization,  The  . 88 

MPI  Group,  The . 46 

Novell  Inc . 21 

Options  Clearing  Corp.,  The  ...  38 

Pacific  Cycle  Inc . 46 

Passmark  Security  Inc . 88 

Pepsi  Bottling  Group  Inc.,  The  .  .  21 

Pew  Research  Center . 21 

Piggly  Wiggly  Carolina  Co . 88 

Pittiglio  Rabin  Todd  &  McGrath  .  46 

Platform  Computing  Inc . 88 

PNC  Financial  Services 

Group  Inc . 66 

PricewaterhouseCoopers . 66 

Procter  &  Gamble  Co.,  The  ....  34 

Progress  Software  Corp . 46 

Red  Flag  Software  Co.  Ltd . 21 

Research  In  Motion  Ltd . 66 

Robert  Half  International  Inc.  ...  21 

RSA  Security  Inc . 88 

Shearman  &  Sterling  LLP  . 46 


Sheryl  Lindsell-Roberts  and 

Associates  . 85 

Solectron  Corp . 46 

Solidus  Networks  Inc . 88 

StrikeForce  Technologies  Inc.  .  .  88 
Summit  Research  Associates 

Inc . 58 

SunTrust  Banks  Inc . 42 

Target  Corp . 58 

TIAA-CREF  Individual  & 

Institutional  Services  LLC  ....  74 

Time  Warner  Inc . 66 

Turbolinux  Inc . 21 

Unisys  Corp . 46 

US  Airways  Inc . 58 

Visa  International  Service 

Association  . 66 

VMware  Inc . 88 

Wachovia  Corp . 66 

Wal-Mart  Stores  Inc . 42 

Watts  Water  Technologies  Inc.  .  .  46 
Xerox  Corp . 21 

ADVERTISER  INDEX 

3M  .  71 

Akamai  Technologies  Inc . 53 

AT&T  . 37 

Avaya  . 91 

Brother  International . 79 

Business  Objects  Inc . 29 

Canon  . 2 


Cinguiar  Wireless . 57 

Citrix  Systems  Inc . 89 

Computer  Associates  Inti.  Inc.  .  .  45 

CXO  Media  Inc .  25,  49,  76 

EMC*  . 53a 

ESRI . 97 

Fujitsu  Computer  Systems  Corp.  43 

Hewlett-Packard  Co . 49a,  55 

Hyperion  Solutions  . C4 

IBM  Corp . C2,  41,  93,  95 

Juniper  Networks  Inc . 65 

KODAK  Service  &  Support . 61 

Kyocera  Mita  Corp . 99 

Lenovo  Group  . 30 

Microsoft  Corp .  8,  63,  73,  75 

MicroStrategy  Inc . 11 

MRO  Software  Inc . 84 

NEC  Corp . 27 

NetScaler  Inc . 69 

Novell  Inc . 4 

Oracle  Corp . 17 

Palm  Inc . 19 

Ricoh  Corp . 33,  39 

Samsung . 7 

SAP  . 81 

SAS  . 20 

Satyam  Computer  Services  Ltd.  23 

Sony  Corp . 12 

Sterling  Commerce  Inc . 15 

Sun  Microsystems  Inc . 51,  83 

Sybase . C3 

Symantec  Corp . 35 

Vontu  . 24a 


CIO  CONTACT 
INFORMATION 

Editorial,  Advertising  and  Business 

Offices:  CXO  Media  Inc.,  492  Old 
Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208, 

508  872-0080. 

CIO  (ISSN  0894-9301)  is  published 
semimonthly  and  as  a  combined 
issue  Dec.  15/Jan.  1  by  CXO  Media 
Inc.  Periodicals  postage  paid  at 
Framingham,  MA,  and  at  additional 
mailing  offices.  Canada  Publications 
Mail  Agreement  Number  1902075. 
CANADIAN  POSTMASTER:  Please 
return  undeliverable  copy  to  P.O.  Box 
1632,  Windsor,  ON  N9A  7C9. 

Permissions:  Copyright  2005  by 
CXO  Media  Inc.  All  rights  reserved. 
Reproduction  of  material  appearing 
in  CIO  is  forbidden  without  written 
permission.  Send  all  requests  to 
Permissions  Department,  CIO, 

492  Old  Connecticut  Path, 

P.O.  Box  9208,  Framingham,  MA 
01701-9208. 

Photocopy  Rights:  Permission  to 
photocopy  for  internal  or  personal 
use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CIO  for 
users  through  the  Copyright  Clear¬ 
ance  Center,  provided  that  the  base 
fee  of  $3  per  copy  of  the  article,  plus 
$.50  per  page  is  paid  directly  to 
Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970. 
Please  specify:  ISSN  0894-9301. 
Permission  to  photocopy  does  not 
extend  to  contributed  articles 
followed  by  this  symbol:  t. 

Subscriptions:  CIO  is  free  to 
qualified  information  executives.  To 
apply,  use  our  online  subscription 
form  at  www.subscribe.cio.com. 
Subscriptions  are  also  available  on 
a  paid  basis  at  a  rate  of  $95  for  the 
United  States  and  Canada,  $195 
International  (payable  in  U.S.  funds 
only)  and  may  be  ordered  online  at 
www.  subscribe,  cio.  com/services,  html . 
Or  address  inquiries  to  CIO.  P.O. 

Box  489,  Northbrook,  IL  60065- 
0489;  866  354-1125.  Please  allow 
four  to  six  weeks  for  a  new  subscrip¬ 
tion  to  begin.  The  single  copy  price 
is  $9  for  the  United  States  and 
Canada,  and  $15  International. 
Prepayment  is  required,  payable  in 
U.S.  funds. 

Change  of  Address:  Please  go  to 
www.omeda.com/custsrv/cio  and 
follow  the  online  instructions. 

Postmaster:  Send  change  of 
address  to  CIO,  P.O.  Box  489, 
Northbrook,  IL  60065-9816. 

Printed  in  the  U.S. A. 


9  8 


OCTOBER  15,  2005  |  www.cio.com 


cjKyocERa 


.  >  •  • 

:  '  •: 

_ 

gsi 

b 

^  AjJljk  '  ' 

L . 

if  * 

mi 

HR 

Now  there's  a  color  printer  you'll  want  on  your  team  for  the  long  run. 

For  vivid  color  and  outstanding  value  there's  nothing  like  the  with  charts  and  images.  What's  more,  IT  people  love  this  printer 
new  Kyocera  FS-C5030N,  600  dpi  color  printer.  It  boasts  because  of  its  advanced  print  driver  technology  -  one  driver, 
26  dazzling  prints  per  minute  and  the  Lowest  Total  Cost  of  one  install.  No  wonder  Kyocera  printers  have  won  numerous 
Ownership  in  itsclass*  Itsaves  you  money  overtime,  so  now,  you  industry  awards  for  technology  and  overall  reliability, 
can  afford  to  add  color  to  any  text  document,  or  presentations  So  get  connected  today  and  start  saving. 


Visit  our  web  site  today:  www.kyoceramita.com/newproducts 


People  Friendly. 


A  whole  new  reason  to  smile. 


The  New  Value  Frontier 

^ xyocERa 


KYOCERA  MITA  CORPORATION  KYOCERA  MITA  AMERICA.  INC.,  a  group  company  of  Kyocera  Corporation 
02005  Kyocera  Mita  Corporation  and  Kyocera  Mita  America.  Inc.,  "People  Friendly”,  the  Kyocera  "smile”  and  the  Kyocera  logo  are  trademarks  of  Kyocera 


•  Source:  Current  Analysis,  b. 


10  15  05  EXECUTIVE  S  U  IT1 TT1  CL  I"l6  S 


Ed  Matthews,  director  of  information 
systems  for  Pacific  Cycle,  compensates 
forthe  lack  of  visibility  into  his  Chinese 
supply  chain  by  lengthening  the  lead 
time  for  the  production  of  bicycles  in 
Chinese  factories. 


46 | COVER  STORY 
MAKING  IT  IN  CHINA 

CIOs  who  have  succeeded  in 

China  understand  how  differ¬ 
ent  the  cultural,  political  and 
business  landscape  is  there  and  how 
those  differences  affect  the  manage¬ 
ment  of  supply  chains.  They  know,  for 
example,  that  the  Chinese  government 
essentially  becomes  a  third  party  in 
any  business  relationship  and  can 
intervene  at  any  time  in  capricious 
ways.  They  understand  that  commu¬ 
nism  is  merely  a  new  name  for  a  politi¬ 
cal  and  economic  system  that  for 
hundreds  of  years  has  stressed  hierar¬ 
chy  and  authority  over  independence 
and  jurisprudence.  These  executives 
have  developed  strategies  that  accom¬ 
modate  these  differences  without  com¬ 
promising  the  goals  of  low  cost  and 
high  quality.  In  this  article,  we  share 
those  strategies  with  you. 

By  Christopher  Koch 


58  |  SIX  SIMPLE  RULES  FOR  SUCCESSFUL  SELF-SERVICE 

CHANCES  ARE  IT’S  BEEN  20  years  since  you’ve  stood  in  line  at  your  bank  to  get  cash 
from  a  teller.  ATMs  offer  such  convenience  to  customers— and  are  so  much  more  efficient 
for  banks— that  no  one  can  imagine  going  back  to  the  old  days.  Since  then,  companies 
have  been  eager  to  tap  into  the  free  labor  pool  of  customers  who  can  be  convinced  to  help 
themselves.  Through  self-service,  organizations  have  been  able  to  reduce  labor  costs, 
increase  revenue  and  inspire  loyalty  in  customers  who  appreciate  speedier  service.  But 
although  some  self-service  projects  pay  off  handsomely,  others  don’t.  For  instance,  Sum¬ 
mit  Research  Associates  estimates  that  15  percent  to  20  percent  of  all  self-service  kiosk 
projects  fail.  If  any  self-service  system  is  too  complex,  customers  will  give  up  in  frustra¬ 
tion.  Sometimes,  self-service  fails  for  the  simple  reason  that  customers  don’t  know  it’s 
an  option  or  are  wary  of  trying  it  on  their  own.  Companies  that  have  done  well  with 
self-service  succeed  by  following  six  simple  rules.  Follow  them,  and  you  can  fix  what  ails 
your  self-service  systems— or  maybe  get  them  right  the  first  time.  By  Alice  Dragoon 

66  |  50-CENT  HOLES 

YOU  CAN  SPEND  ALL  THE  MILLIONS  you  want  to  on  security,  and  you  can  build  tech¬ 
nology  walls  from  floor  to  ceiling— but  tiny  training  oversights  can  render  all  your  efforts 
worthless.  As  recently  reported  data  losses  prove,  unclear  security  procedures  and  unin¬ 
formed  end  users  can  rip  gaping  holes  in  otherwise  secure  systems.  We  identify  10  of  the 
most  serious  problems  and  provide  10  simple  solutions  that  could  keep  your  company  off 
the  front  page  of  The  Wall  Street  Journal.  By  Thomas  Wailgum 

74  |  RETIREMENT  KEEPS  HIM  BUSY 

TIAA-CREF  HAS  EXPANDED  its  business  beyond  pensions  to  include  variable  annuities, 
insurance,  financial  advice,  trust  services  and  college  tuition  financing.  But  by  2002, 
TIAA-CREF’s  business  had  grown  so  complex  that  high  operating  costs  were  beginning 
to  impair  its  ability  to  compete  as  more  agile  companies  threatened  to  lure  away  its  clients. 
Enter  Herbert  Allison,  who  became  CEO  in  2002  and  was  charged  with  modernizing  and 
restructuring  the  company.  Allison  quickly  raised  the  profile  of  the  company’s  CTO  and 
centralized  IT.  In  this  View  from  the  Top  interview,  Allison  describes  how  he  supported 
the  development  of  a  new  technology  platform  for  the  company  that  would  allow  TIAA- 
CREF  to  meet  its  strategic  priorities.  By  Meridith  Levinson 

85  |  HOW  TO  WRITE  A  MEMORABLE  MEMO 

MASTERING  THE  SEEMINGLY  MUNDANE  art  of  writing  memorandums  might  not 
seem  like  a  career  advancer  but,  in  fact,  memos  remain  the  key  way  of  communicating 
within  companies.  While  today  memos  are  often  sent  electronically,  they’re  still  the  way 
companies  communicate  strategies,  directives,  meeting  results  and  employee  performance. 
In  this  article,  part  of  our  Advanced  Communications  series,  we  define  best  practices  for 
memo  writing.  Among  them  are:  writing  the  memo  with  a  clear  idea  of  who  the  reader  is; 
keeping  it  short  (a  half-page  is  ideal  but  keeping  it  under  three  pages  is  a  must);  and  getting 
trusted  feedback  before  distributing  (a  second  pair  of  eyes  can  save  you  from  making 
critical  mistakes).  By  Michael  Fitzgerald 


100 


OCTOBER  15,  2005  |  www.cio.com 


PHOTO  BY  KEVIN  MIYAZAKI 


With  Sybase®  software,  the  PRC  Ministry  of  Railways 
developed  an  innovative  ticket  sales  and  reservation  system  that: 


Processes  passenger  traffic  of  more  than  one  billion  people  a  year 
Handles  up  to  5,000  ticket  requests  simultaneously 
Q/Captures  and  analyzes  passenger  data  on  national,  regional  and  local  levels 


Replacing  an  outdated,  paper-based  ticketing  system  that  supports  one  of  the  largest  railway  networks  in  the  world  is  a  monumental  task.  That’s  why, 
when  the  People's  Republic  of  China  (PRC)  Ministry  of  Railways  wanted  the  right  technology  partner,  they  chose  Sybase.  Using  Sybase  Adaptive  Server® 
Enterprise,  Sybase®  10,  and  Replication  Server®  software,  the  PRC  created  an  information  edge  that  enables  passengers  to  purchase  round-trip  or 
one-way  tickets  from  24  regional  ticket  centers,  510  booking  systems  and  over  5,000  counter  terminals.  That  means  customers  are  happier.  Employee 
productivity  is  up.  And  trains  are  filled  with  people...  and  profits,  www.sybase.com/infoedgell 


Copyright  ©2005  Sybase,  Inc.  All  rights  reserved.  Sybase,  the  Sybase  logo.  Adaptive  Server  and  Replication  Server  are  trademarks  of  Sybase,  Inc. 
•indicates  registration  in  the  United  States  of  America.  All  product  and  company  names  are  trademarks  of  their  respective  owners. 


Sybase 


Iiw 


2002 


2003 


2004 


CHANGING  THE  LANDSCAPE  OF 
BUSINESS  INTELLIGENCE! 

[Integrating  financial  management  and  BI  to  create  the  first  Business  Performance  Management  system.] 


INTRODUCING  HYPERION  SYSTEM™  9 


Now  you  can  attain  performance  visibility  and  take  immediate  action  to 
solve  business  problems  with  the  new  Hyperion  System  9.  Built  as  a  single 
modular  system,  Hyperion  System  9  increases  productivity  while  reducing 
risk  and  TCO.  It’s  straightforward  for  IT  to  integrate  with  database  and 
transaction  systems.  And  it’s  even  simpler  for  end-users  to  learn  and  use. 
See  the  launch  webcast:  www.hyperion.com/launch 


o  • 

ooo 

o  o 

Hyperion* 


300268  338 

3195.44  .*2.558 

m *r2 

2T60  42  .0.00?  *0 ' 

2810  33  +1X*8  *0< 


CONTRIBUTION  TO  EBITDA/REGION 

CURRENCY:  EUROS/SHARE 


FACTORY  VOLUME  OUTPUT 

UNITS/HOUR/YEAR 


LATAM  €:  0.07 


N.  AMERICA  €:  0.45 


APAC  € 


SHENZHEN,  CHINA 
CLEVELAND,  OHIO, 
SAO  PAOLO.  BRAZI 
KYIV.  UKRAINE 
MUMBAI.  IND!>/ 


+13% 


i  mm?  ii/nmmui 
warn  MM/Mum , 


